[24211] in Kerberos
Re: Updating encryption types
daemon@ATHENA.MIT.EDU (Phil Dibowitz)
Tue Jul 5 16:49:50 2005
Date: Tue, 5 Jul 2005 13:48:54 -0700
From: Phil Dibowitz <phil@usc.edu>
To: kerberos@mit.edu
Message-ID: <20050705204853.GE27759@usc.edu>
Mail-Followup-To: kerberos@mit.edu
Mime-Version: 1.0
In-Reply-To: <20050704202911.GA14872@sun.com>
Content-Type: multipart/mixed; boundary="===============29678941224227007=="
Errors-To: kerberos-bounces@mit.edu
--===============29678941224227007==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="BWpbUxt7sU2t3mXs"
Content-Disposition: inline
--BWpbUxt7sU2t3mXs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Jul 04, 2005 at 03:29:11PM -0500, Will Fiveash wrote:
> > 1. Changing the enctypes (the previous admin had it hard coded) will ca=
use
> > session keys to use the new enctypes, but other keys will not immediate=
ly see
> > effect.
>=20
> If you mean creating a new set of enctype keys for service princs will
> have an immediate effect on the enctype of sessions keys issued after
> the new keys are created then yes (make sure the service systems
> krb5.keytab is updated also). I am not sure what you mean by "other
> keys".
What i meant was "changing enctypes in kdc.conf and krb5.conf and doing
nothing else should at best up the encryption of the session keys. Nothing
else will change until password are changed."
> > Is there a way to tell what encryption type is being used for the sessi=
on
> > key? I'm assuming the "3 etypes {511 511 1}" means there are three encr=
yption
> > types defined (which seems right)... but then there's "etypes {rep=3D1=
tkt=3D1
> > ses=3D1}" which I interpret to say the session key is type "1" (DES?).
>=20
> klist -e should show something like:
> $ klist -e
> Ticket cache: FILE:/tmp/krb5cc_10224
> Default principal: jimmy@SUN.COM
>=20
> Valid starting Expires Service principal
> 07/04/05 15:12:13 07/04/05 23:12:13 krbtgt/SUN.COM@SUN.COM
> renew until 07/11/05 15:12:13, Etype(skey, tkt): AES-128 CTS mode=
with 96-bit SHA-1 HMAC, AES-128 CTS mode with 96-bit SHA-1 HMAC
Ah, very cool. So in my test environment I have a KDC with a bunch of DES
encrypted principals. I changed the "enctypes" on both krb5.conf and kdc.co=
nf
=66rom des to rc4, des3, and des, and changed the password on my principal.=
I
now see:
Number of keys: 3
Key: vno 10, ArcFour with HMAC/md5, no salt
Key: vno 10, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 10, DES cbc mode with CRC-32, no salt
Attributes:
=66rom kadmin, great (though is that "no salt" supposed to be there?)!
However, klist -e shows:
[phil@frantic unstale]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_36070
Default principal: phil@ISD.USC.EDU
Valid starting Expires Service principal
07/05/05 13:36:31 07/05/05 23:36:31 krbtgt/ISD.USC.EDU@ISD.USC.EDU
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-=
32=20
[phil@frantic unstale]$=20
and the logs show:
Jul 05 13:36:31 frantic.usc.edu krb5kdc[26284](info): AS_REQ (3 etypes {23 =
16
1}) 128.125.10.120: ISSUE: authtime 1120595791, etypes {rep=3D23 tkt=3D1 se=
s=3D1},
phil@ISD.USC.EDU for krbtgt/ISD.USC.EDU@ISD.USC.EDU
Neither the session key, nor my principal key seem to have been using the n=
ew
encryption... it's not clear to me why...
--=20
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427
--BWpbUxt7sU2t3mXs
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFCyvI17lkZ1Iyv898RAi1bAJ9CtR3xGmUMm9xIQ2BKKKOANfK9mACeNVRt
NODoCiQmda6utI3T6Ug4+ks=
=mVqA
-----END PGP SIGNATURE-----
--BWpbUxt7sU2t3mXs--
--===============29678941224227007==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============29678941224227007==--
