Updating encryption types

Phil Dibowitz phil at usc.edu
Tue Jul 5 16:48:54 EDT 2005 

On Mon, Jul 04, 2005 at 03:29:11PM -0500, Will Fiveash wrote:
> > 1. Changing the enctypes (the previous admin had it hard coded) will cause
> > session keys to use the new enctypes, but other keys will not immediately see
> > effect.
> 
> If you mean creating a new set of enctype keys for service princs will
> have an immediate effect on the enctype of sessions keys issued after
> the new keys are created then yes (make sure the service systems
> krb5.keytab is updated also).  I am not sure what you mean by "other
> keys".

What i meant was "changing enctypes in kdc.conf and krb5.conf and doing
nothing else should at best up the encryption of the session keys. Nothing
else will change until password are changed."

> > Is there a way to tell what encryption type is being used for the session
> > key? I'm assuming the "3 etypes {511 511 1}" means there are three encryption
> > types defined (which seems right)...  but then there's "etypes {rep=1 tkt=1
> > ses=1}"  which I interpret to say the session key is type "1" (DES?).
> 
> klist -e should show something like:
> $ klist -e
> Ticket cache: FILE:/tmp/krb5cc_10224
> Default principal: jimmy at SUN.COM
> 
> Valid starting                Expires                Service principal
> 07/04/05 15:12:13  07/04/05 23:12:13  krbtgt/SUN.COM at SUN.COM
>         renew until 07/11/05 15:12:13, Etype(skey, tkt): AES-128 CTS mode with 96-bit SHA-1 HMAC, AES-128 CTS mode with 96-bit SHA-1 HMAC

Ah, very cool. So in my test environment I have a KDC with a bunch of DES
encrypted principals. I changed the "enctypes" on both krb5.conf and kdc.conf
from des to rc4, des3, and des, and changed the password on my principal. I
now  see:

Number of keys: 3
Key: vno 10, ArcFour with HMAC/md5, no salt
Key: vno 10, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 10, DES cbc mode with CRC-32, no salt
Attributes:

from kadmin, great (though is that "no salt" supposed to be there?)!

However, klist -e shows:

[phil at frantic unstale]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_36070
Default principal: phil at ISD.USC.EDU

Valid starting     Expires            Service principal
07/05/05 13:36:31  07/05/05 23:36:31  krbtgt/ISD.USC.EDU at ISD.USC.EDU
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 
[phil at frantic unstale]$ 

and the logs show:

Jul 05 13:36:31 frantic.usc.edu krb5kdc[26284](info): AS_REQ (3 etypes {23 16
1}) 128.125.10.120: ISSUE: authtime 1120595791, etypes {rep=23 tkt=1 ses=1},
phil at ISD.USC.EDU for krbtgt/ISD.USC.EDU at ISD.USC.EDU

Neither the session key, nor my principal key seem to have been using the new
encryption... it's not clear to me why...

-- 
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050705/e8b458a3/attachment.bin

More information about the Kerberos mailing list