Adding higher grade crypto to existing KDC servers while maintaining weak
William Clark
majorgearhead at gmail.com
Sun Oct 19 18:12:09 EDT 2014
I know this seems like an idiotic thing, but here is the scenario. I have a multi KDC setup that has been the backbone of Kerberos for a large organization. Traditionally we have had to keep week crypto around because of some legacy tools that cannot be rewritten at this time.
I want to prepare for the future, and also allow OS X Yosemite (10.10) users to be able to kinit right now. In the case of the Yosemite users, they cannot because Apple locked down the ability to use weak crypto in this release regardless of if one has allow_weak_crypto = TRUE in their krb5.conf or edu.it.Kerberos. So my thought is to find the minimum I need to do to start allowing clients to auth via stronger crypto like AES. I know I will have to rekey the main service principals, but what I am fuzzy on is if I would need to rekey every principal, which would cause quite the headache.
Has anyone gone through this and can give me some guidance on what in addition to the service principal rekeys I would need to do to just allow clients that can no longer communicate using weak crypto. My idea is also to issue all new principals going forward with the additional key. The part that I need to suss out is if I need to rekey 100,000+ principals at this time and if I did how I would do this with the least downtime. I know in the future when no weak crypto is needed I will probably have a parallel system setup and move people over to it using my L3DSR VIP setup. But this will be a major undertaking just to issue the new keytabs alone.
William Clark
More information about the Kerberos
mailing list