Single-DES in krbtgt/REALM key

Greg Hudson ghudson at MIT.EDU
Wed Aug 21 15:40:58 EDT 2013


On 08/21/2013 04:56 AM, Kenny MacDonald wrote:
> Can anyone explain why "des-cbc-crc:normal" is listed as an encryption type
> for the new krbtgt/ZONE.MIT.EDU key.  I cannot find a rationale for it in
> that page.

Short answer: I don't think it's usually necessary, but it isn't
harmful.  The instructions could probably be simplified.

The keys for a service principal (including the krbtgt principal) have
two effects:

* The first key of a kvno, and only the first key, is used to encrypt
tickets for that service.  The KDC will not accept tickets encrypted in
a different key for TGS requests.

* The KDC assumes that a service supports session keys of the types it
has keys for (except des-cbc-md5), plus (by default) des-cbc-crc.  In
1.11, this list can be overridden with the "session_enctypes" string
attribute, and it's also possible to turn off the assumption of
des-cbc-crc support with the "des_crc_session_supported" realm parameter.

The retiring-des instructions advise rolling the TGT keys twice: once to
add strong enctypes, and then again later to get rid of the DES key.
The intent of including a DES key the first time was (I think) to ensure
that clients can still get initial tickets with DES session keys.  This
would mostly affect clients which have
"default_tkt_enctypes=des-cbc-crc" in their krb5.conf files for no good
reason, but could also affect old Java apps if they get initial tickets.
 However:

1. Because of the default assumption that services support des-cbc-crc
session keys, including the DES key isn't necessary unless the realm is
configured with "des_crc_session_supported=false".

2. The instructions don't explicitly advise you to identify and fix all
of the clients which might be doing this before rolling the TGT keys
again (which doesn't actually have an effect on this, generally) or
before removing allow_weak_crypto=true on the KDC (which does).

So we could probably simplify the instructions to roll the krbtgt key
just once, although we might need to add a proviso in case the
administrator has set des_crc_session_supported=false.  And we should
probably add instructions about checking the logs for DES-only clients.



More information about the Kerberos mailing list