[OpenAFS] Re: MIT Kerberos des session key

John Sopko sopko@cs.unc.edu
Mon, 5 Aug 2013 10:38:26 -0400


I updated our db and file servers and dropped in the new rxkad.keytab.
Things appear to be working great! We updated all our linux machines
and we are completely off single DES for those. Now onto Windows
machines. Thanks for all the input!

On Tue, Jul 30, 2013 at 2:39 PM, John Sopko <sopko@cs.unc.edu> wrote:
> Where is the session key for the afs/cell@REALM service principal
> derived from? If I remove the des-cbc-crc encryption type from both the
> afs/cell@REALM and the user principals will things still work without
> having to upgrade all clients to openafs 1.6.5?
>
> I would like to get rid of the single des key for the afs/cell@REALM
> service principal as described in the security advisory.
>
> I am running Red Hat 6.4 and MIT kerberos 1.10.3 that comes with rhel6.
> I have upgraded all my db and file servers to openafs 1.6.5 and things
> are working nicely, ( thanks everyone involved). Here is my config information.
>
> My /var/kerberos/krb5kdc/kdc.conf file has the following in it, this
> is the default from Red Hat:
>
> supported_enctypes = aes256-cts:normal aes128-cts:normal
>                      des3-hmac-sha1:normal arcfour-hmac:normal
>                      des-hmac-sha1:normal des-cbc-md5:normal
>                      des-cbc-crc:normal
>
> But when I create a user or a user changes their passwd they do not get
> the "des-cbc-crc" encryption type, for example kadmin for a user shows:
>
> Principal: sopko@CSX.UNC.EDU
> Number of keys: 6
> Key: vno 38, aes256-cts-hmac-sha1-96, no salt
> Key: vno 38, aes128-cts-hmac-sha1-96, no salt
> Key: vno 38, des3-cbc-sha1, no salt
> Key: vno 38, arcfour-hmac, no salt
> Key: vno 38, des-hmac-sha1, no salt
> Key: vno 38, des-cbc-md5, no salt
>
> Notice there is no des-cbc-crc encryption type for a user principal, I
> believe this
> is done on purpose. Note I also I have the following set in the
> /etc/krb5.conf file.
>
> [libdefaults]
> allow_weak_crypto = true
>
> You can explicitly set des-cbc-crc in kadmin and of course I had to do that
> for the afs principal:
>
> Principal: afs/cs.unc.edu@CSX.UNC.EDU
> Key: vno 10, des-cbc-crc, no salt
>
> Using MIT "klist -e" command to show the encryption types while logged
> in shows:
>
>
> Valid starting     Expires            Service principal
> 07/30/13 14:16:12  07/31/13 14:16:12  krbtgt/CSX.UNC.EDU@CSX.UNC.EDU
>         renew until 07/31/13 14:16:12, Etype (skey, tkt):
> des3-cbc-sha1, des3-cbc-sha1
> 07/30/13 14:16:12  07/31/13 14:16:12  afs/cs.unc.edu@CSX.UNC.EDU
>         renew until 07/31/13 14:16:12, Etype (skey, tkt): des-cbc-crc,
> des-cbc-crc
>
>
> So currently the skey (session key) and tkt key for afs/cs.unc.edu
> is des-cbc-crc.
>
> So if I re-key afs/cs.unc.edu service principal to NOT USE des-cbc-crc
> my understanding is you still need a des-cbc-crc session key unless
> you upgrade all clients which is not feasible at this time. Will I be
> ok without a des-cbs-crc key for the user and the service principal?
> Can I also remove the des-cbc-md5:normal des-hmac-sha1:normal assuming
> no other service is using it, (my guess is yes)? Thanks for your input.
>
> --
> John W. Sopko Jr.                    University of North Carolina
> email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
> Phone: 919-590-6144                Fred Brooks Building; Room 140
>                                                Chapel Hill, NC 27599-3175



-- 
John W. Sopko Jr.                    University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-590-6144                Fred Brooks Building; Room 140
                                               Chapel Hill, NC 27599-3175