Questions about supported_enctypes
Dan Mahoney (Gushi)
danm at prime.gushi.org
Sat May 18 22:49:44 EDT 2019
All,
When I kinit from my macOS mojave machine against $dayjob's kdc, I get the
following
mustelid:~ dmahoney$ kinit
dmahoney at FOO.ORG's password:
Encryption type des3-cbc-sha1(16) used for authentication is weak and will
be deprecated
Searching for this message yields surprisingly little.
My install of mojave has no krb5.conf, so it's using whatever the
compiled-in defaults are. Here are my questions, then.
q1: Is there a way of seeing what those are? (Or, of spewing out a
krb5.conf that reflects the defaults?)
q2: Is there a way of seeing which enctypes are supported on a krb5kdc
(i.e. as part of the kinit process, not by looking in the filesystem).
q3: On the same note, what are others in the modern world moving to with
this algo being deprecated? Is there a current recommendation? If one
disables des3-cbc-sha1, what versions of kerberos are you effectively
blackholing?
I've found links on the mit.edu page about des
(single-des) being deprecated, but not 3des yet:
https://web.mit.edu/kerberos/www/krb5-1.12/doc/admin/advanced/retiring-des.html
But deprecation of 3des is mentioned in this internet draft:
https://tools.ietf.org/id/draft-ietf-curdle-des-des-des-die-die-die-01.html
(I have no idea about apple's internal processes, or what other vendors
are following suit).
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
More information about the Kerberos
mailing list