[OpenAFS] MIT Kerberos des session key
Tue, 30 Jul 2013 14:39:56 -0400
Where is the session key for the afs/cell@REALM service principal
derived from? If I remove the des-cbc-crc encryption type from both the
afs/cell@REALM and the user principals will things still work without
having to upgrade all clients to openafs 1.6.5?
I would like to get rid of the single des key for the afs/cell@REALM
service principal as described in the security advisory.
I am running Red Hat 6.4 and MIT kerberos 1.10.3 that comes with rhel6.
I have upgraded all my db and file servers to openafs 1.6.5 and things
are working nicely, ( thanks everyone involved). Here is my config information.
My /var/kerberos/krb5kdc/kdc.conf file has the following in it, this
is the default from Red Hat:
supported_enctypes = aes256-cts:normal aes128-cts:normal
But when I create a user or a user changes their passwd they do not get
the "des-cbc-crc" encryption type, for example kadmin for a user shows:
Number of keys: 6
Key: vno 38, aes256-cts-hmac-sha1-96, no salt
Key: vno 38, aes128-cts-hmac-sha1-96, no salt
Key: vno 38, des3-cbc-sha1, no salt
Key: vno 38, arcfour-hmac, no salt
Key: vno 38, des-hmac-sha1, no salt
Key: vno 38, des-cbc-md5, no salt
Notice there is no des-cbc-crc encryption type for a user principal, I
is done on purpose. Note I also I have the following set in the
allow_weak_crypto = true
You can explicitly set des-cbc-crc in kadmin and of course I had to do that
for the afs principal:
Key: vno 10, des-cbc-crc, no salt
Using MIT "klist -e" command to show the encryption types while logged
Valid starting Expires Service principal
07/30/13 14:16:12 07/31/13 14:16:12 krbtgt/CSX.UNC.EDU@CSX.UNC.EDU
renew until 07/31/13 14:16:12, Etype (skey, tkt):
07/30/13 14:16:12 07/31/13 14:16:12 afs/cs.unc.edu@CSX.UNC.EDU
renew until 07/31/13 14:16:12, Etype (skey, tkt): des-cbc-crc,
So currently the skey (session key) and tkt key for afs/cs.unc.edu
So if I re-key afs/cs.unc.edu service principal to NOT USE des-cbc-crc
my understanding is you still need a des-cbc-crc session key unless
you upgrade all clients which is not feasible at this time. Will I be
ok without a des-cbs-crc key for the user and the service principal?
Can I also remove the des-cbc-md5:normal des-hmac-sha1:normal assuming
no other service is using it, (my guess is yes)? Thanks for your input.
John W. Sopko Jr. University of North Carolina
email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
Phone: 919-590-6144 Fred Brooks Building; Room 140
Chapel Hill, NC 27599-3175