Poor enctype used after rekeying TGT
Jonathan Reams
jr3074 at columbia.edu
Thu Dec 9 10:19:35 EST 2010
We recently rekeyed our krbtgt to take advantage of new and improved encryption types (and slaughter DES-CBC-CRC), and we ended up with 5 keys.
Key: vno 3, DES cbc mode with CRC-32, no salt
Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 3, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 3, ArcFour with HMAC/md5, no salt
Key: vno 2, DES cbc mode with CRC-32, Version 4
Everything seems okay there, but when I get a TGT, the skey using a high encryption type, but the tkt is a very weak encryption type.
[minotaur:~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_266357_kfGiUN1020
Default principal: jr3074 at CC.COLUMBIA.EDU
Valid starting Expires Service principal
12/09/10 09:41:10 12/09/10 19:41:10 krbtgt/CC.COLUMBIA.EDU at CC.COLUMBIA.EDU
renew until 12/10/10 09:41:10, Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, DES cbc mode with CRC-32
What do we need to do to eviscerate DES-CBC-CRC? Can't clients that understand the better types get them automatically?
Jonathan Reams
Columbia University
More information about the krbdev
mailing list