Best (or recommended) practices for updating and modifying encryption types supported on all principals?

Russ Allbery rra at stanford.edu
Thu Apr 12 11:52:27 EDT 2012


"Martin B. Smith" <smithmb at ufl.edu> writes:

> That all being said, what is the recommended way to adjust the supported
> encryption types for every principal in our KDB? So far, I see the main
> option being dump and load using kdb5_util. Is there an even better way?

Change the configured supported encryption types and then have everyone
change their password.

The Kerberos KDC doesn't store the password, only the keys, so to change
the encryption types available for those keys, you generally have to force
people to change their passwords.  A lot of sites, when faced with a mass
migration, add code to some authentication choke point (such as a central
web authentication server) and quietly do a "password change" to the same
password behind the scenes when users log in.

Dumping and loading with kdb5_util will not help.

> Also, here's our current configuration (we require PREAUTH, btw):

> supported_enctypes =  des-hmac-sha1:normal des-cbc-md5:normal
> des-cbc-crc:v4 des-cbc-crc:afs3 des3-hmac-sha1:normal arcfour-hmac:normal

> Is there anything in the 'must have' category that we should add or 'must
> get rid of' category that we should remove? My understanding thatis that I
> should probably remove the single DES items.

You should remove all the des-* entries unless you really need them for
some old application.

You should definitely add aes128-cts-hmac-sha1-96:normal and
aes256-cts-hmac-sha1-96:normal.

Whether to keep des3-cbc-sha1:normal is up to you.  At this point, I
wouldn't bother adding it if you didn't have it already, since pretty much
anything that can speak des3-cbc-sha1 can speak one of the AES variants
unless it's *really* old, and Windows speaks AES but doesn't speak 3DES.
But since you have it there, there's no strong reason to remove it; it's
not (yet) considered weak.

You should retain arcfour-hmac for as long as you have Windows XP systems.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list