Review of ending February 13, 2009

Nicolas Williams Nicolas.Williams at
Thu Jan 29 12:53:38 EST 2009

On Wed, Jan 28, 2009 at 09:16:18PM -0500, Tom Yu wrote:
> This project aims to disable single-DES cryptosystems by default.  The
> "allow_weak_crypto" libdefaults setting (which is compatible with
> Heimdal) will override this disabling.  Note that a more general means
> of configuring enctypes, allowing for explicit inclusions and
> exclusions, is out of scope for this project for time reasons but is
> clearly a better way to accomplish this functionality.
> An initial implementation is already committed to the trunk.

Sam comments that this should be mostly driven by the KDC, and I agree.

I'd certainly have no problem with defaulting kadmind to not allow use
of 1DES enctypes for new key/password changes, but having clients/
servers stop using 1DES enctypes because of a software upgrade seems
much more problematic, even though also desirable.

We've recently learned,  in the context of SSHv2 and its broken CBC mode
ciphers, just how painful simply disabling weak ciphers can be.

That said, because an attacker could spoof PA-ETYPE-INFO any client that
allows weak long-term keys can be caused to send PA-ENC-TIMESTAMP
encrypted with weak keys, and that's bad.  Sam hinted at this.

So... I'm of two minds on this.

Q: Which deployment is more common: clients with [hostbased] principals
   for themselves, or clients without any machine credentials?

   A decision to locally exclude 1DES enctypes can be made at realm-join
   time.  But in the case of unkeyed clients there's no obvious time at
   which a krb5.conf could get written that reflects a user's realm's

I do think that syntax for including/excluding ciphers in krb5.conf
would be very useful though.  And it doesn't strike me as too complex a


More information about the krbdev mailing list