[38539] in Kerberos
Questions about supported_enctypes
daemon@ATHENA.MIT.EDU (Dan Mahoney (Gushi))
Sat May 18 22:50:06 2019
Date: Sat, 18 May 2019 19:49:44 -0700 (PDT)
From: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
To: kerberos@mit.edu
Message-ID: <alpine.BSF.2.20.1905181934020.15940@prime.gushi.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
All,
When I kinit from my macOS mojave machine against $dayjob's kdc, I get the
following
mustelid:~ dmahoney$ kinit
dmahoney@FOO.ORG's password:
Encryption type des3-cbc-sha1(16) used for authentication is weak and will
be deprecated
Searching for this message yields surprisingly little.
My install of mojave has no krb5.conf, so it's using whatever the
compiled-in defaults are. Here are my questions, then.
q1: Is there a way of seeing what those are? (Or, of spewing out a
krb5.conf that reflects the defaults?)
q2: Is there a way of seeing which enctypes are supported on a krb5kdc
(i.e. as part of the kinit process, not by looking in the filesystem).
q3: On the same note, what are others in the modern world moving to with
this algo being deprecated? Is there a current recommendation? If one
disables des3-cbc-sha1, what versions of kerberos are you effectively
blackholing?
I've found links on the mit.edu page about des
(single-des) being deprecated, but not 3des yet:
https://web.mit.edu/kerberos/www/krb5-1.12/doc/admin/advanced/retiring-des.html
But deprecation of 3des is mentioned in this internet draft:
https://tools.ietf.org/id/draft-ietf-curdle-des-des-des-die-die-die-01.html
(I have no idea about apple's internal processes, or what other vendors
are following suit).
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
