Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kerberos issues with 10.0_BETA post openssl update
On 9/09/23 06:39, Ken Hornstein wrote:
I don't know if you have control over this, but ... RC4? In 2023? Yikes.
Kerberos clients do send a list of the supported crypto algorithms to the
KDC as part of the AS-REQ message so this would indicate to me that one
of three things is happening:
1) Your client is configured to only allow RC4 as a cipher (I've seen
this happen when people misguidedly configure this in the Kerberos
configuration files; normally this should never be done except it very
unusual circumstances)
2) Your KDC does not support crypto algorithms other than RC4,
which ... double yikes if that's the case.
3) Your KDC DOES support more modern crypto algorithms but you haven't
changed your password in approximately forever.
If this is 1 or 3 it should be easy to fix and probably would be a good
idea to do so.
Yes clients send lists of supported crypto algorithms and KDC's have
lists of keys of different etypes that can be used for a given principle
and they negotiate which one they are going to use between what the
client and server support.
By default heimdal makes keys of the following three etypes:
aes256-cts-hmac-sha1-96
des3-cbc-sha1
arcfour-hmac-md5
so in actual usage pretty well everything is going to use
aes256-cts-hmac-sha1-96 (unless you have a really old client out there)
but the KDC is still going to create or update keys of all three types,
and that is whats failing here.
And yes I could probably explicitly add
default_etypes = aes256-cts-hmac-sha1-96
to krb5.conf to drop the two obsolete types but then I'd have to notice
and change it again if at some point in the future heimdal changed its
defaults to something new.
cheers
mark
Home |
Main Index |
Thread Index |
Old Index