[EXTERNAL] Re: PKINIT on MacOSX Maverick and Yosemite
Machin, Glenn D
GMachin at sandia.gov
Mon Jan 18 20:45:54 EST 2016
Thanks - tried setting libdefaults pkinit_dh_min_bits = 1760, but got the
error below. It may be a Maverick limitation. I’ll try Yosemite tomorrow.
kinit: krb5_get_init_creds: Did not find a DH group parameter matching
requirement of 1760 bits
Appreciate the help.
Glenn
On 1/18/16, 6:26 PM, "Greg Hudson" <ghudson at mit.edu> wrote:
>On 01/18/2016 07:30 PM, Machin, Glenn D wrote:
>> Apparently MacOSX
>> Heimdahl is set at 1024 and has no (at least that I can find) a
>>krb5.conf
>> attribute like pkinit_dh_min_bits.
>
>From a look at the source code, it seems like Heimdal supports a
>pkinit_dh_min_bits variable in [libdefaults], but only has built-in DH
>groups at 1024 and 1760 bits. If I'm right, you would need a
>krb5.moduli file to make it support a 2048-bit group, and I can't find
>any documentation on how to do that.
>
>(To Heimdal's credit, it has supported ECDH PKINIT using P-256 for years
>now, but that doesn't help you interoperate because MIT krb5 doesn't
>implement it.)
>
>> The MIT KDC minimum is 2048 and even if
>> you set the kdc.conf pkinit_dh_min_bits to 1024 the source code¹s
>>minimum
>> is defined at 2048.
>
>This was changed in 1.11.3 and 1.12+; we now allow values as low as 1024
>bits to be configured. Be aware that cryptographers believe 1024-bit
>Diffie-Hellman to be attackable by nation-state adversaries. It seems
>like a value of 1760 bits might work with OS X clients (even without
>configuration), so you might consider that instead.
More information about the Kerberos
mailing list