[39299] in Kerberos
Removing deprecated keys
daemon@ATHENA.MIT.EDU (Dan Mahoney (Gushi))
Tue Oct 31 21:17:56 2023
Date: Wed, 1 Nov 2023 01:16:15 +0000 (UTC)
From: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
To: kerberos@mit.edu
Message-ID: <7e384a59-8a34-3305-f46f-30ea18942b5d@prime.gushi.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
Hey there folks,
We've recently gone through all the hard work of switching off 3des on our
kdcs and rolling all the things, but one of the things we note is that
some of our users still have the keys with the old enctypes present. Is
there a way to delete just those deprecated keys, without forcing a
password change?
Failed password attempts: 0
Number of keys: 5
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
Key: vno 2, DEPRECATED:des3-cbc-sha1 <-- Yeet?
Key: vno 2, aes128-cts-hmac-sha256-128
Key: vno 2, aes256-cts-hmac-sha384-192
MKey: vno 3
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
