[16541] in Kerberos_V5_Development
Poor enctype used after rekeying TGT
daemon@ATHENA.MIT.EDU (Jonathan Reams)
Thu Dec 9 10:19:40 2010
From: Jonathan Reams <jr3074@columbia.edu>
Date: Thu, 9 Dec 2010 10:19:35 -0500
Message-Id: <413A8D3B-1B09-4045-A402-ACB64444C2F0@columbia.edu>
To: krbdev@mit.edu
Mime-Version: 1.0 (Apple Message framework v1082)
Cc: Matt Selsky <selsky@columbia.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
We recently rekeyed our krbtgt to take advantage of new and improved encryption types (and slaughter DES-CBC-CRC), and we ended up with 5 keys.
Key: vno 3, DES cbc mode with CRC-32, no salt
Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 3, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 3, ArcFour with HMAC/md5, no salt
Key: vno 2, DES cbc mode with CRC-32, Version 4
Everything seems okay there, but when I get a TGT, the skey using a high encryption type, but the tkt is a very weak encryption type.
[minotaur:~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_266357_kfGiUN1020
Default principal: jr3074@CC.COLUMBIA.EDU
Valid starting Expires Service principal
12/09/10 09:41:10 12/09/10 19:41:10 krbtgt/CC.COLUMBIA.EDU@CC.COLUMBIA.EDU
renew until 12/10/10 09:41:10, Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, DES cbc mode with CRC-32
What do we need to do to eviscerate DES-CBC-CRC? Can't clients that understand the better types get them automatically?
Jonathan Reams
Columbia University
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
