Re: kerberos issues with 10.0_BETA post openssl update

[Mark Davies <mark%ecs.vuw.ac.nz@localhost>]

On 9/09/23 06:39, Ken Hornstein wrote:
> I don't know if you have control over this, but ... RC4?  In 2023?  Yikes.
> Kerberos clients do send a list of the supported crypto algorithms to the
> KDC as part of the AS-REQ message so this would indicate to me that one
> of three things is happening:
>
> 1) Your client is configured to only allow RC4 as a cipher (I've seen
>     this happen when people misguidedly configure this in the Kerberos
>     configuration files; normally this should never be done except it very
>     unusual circumstances)
> 2) Your KDC does not support crypto algorithms other than RC4,
>     which ... double yikes if that's the case.
> 3) Your KDC DOES support more modern crypto algorithms but you haven't
>     changed your password in approximately forever.
>
> If this is 1 or 3 it should be easy to fix and probably would be a good
> idea to do so.


Yes clients send lists of supported crypto algorithms and KDC's have 
lists of keys of different etypes that can be used for a given principle 
and they negotiate which one they are going to use between what the 
client and server support.

By default heimdal makes keys of the following three etypes:
	aes256-cts-hmac-sha1-96
	des3-cbc-sha1
	arcfour-hmac-md5

so in actual usage pretty well everything is going to use
aes256-cts-hmac-sha1-96 (unless you have a really old client out there) 
but the KDC is still going to create or update keys of all three types, 
and that is whats failing here.

And yes I could probably explicitly add

      default_etypes = aes256-cts-hmac-sha1-96

to krb5.conf to drop the two obsolete types but then I'd have to notice 
and change it again if at some point in the future heimdal changed its 
defaults to something new.

cheers
mark