Re: MIT krb5 release 1.18 will remove single-DES support

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: MIT krb5 release 1.18 will remove single-DES support

Kenneth MacDonald
On Tue, 2019-05-28 at 15:01 -0400, Greg Hudson wrote:

> This is advance notice that the MIT krb5 1.18 release, planned for
> near
> the end of this year, will remove support for the single-DES
> encryption
> types (chiefly des-cbc-crc) and their associated checksum types and
> salt
> types.  Setting "allow_weak_crypto = true" will no longer re-enable
> single-DES.
>
> If your Kerberos environment still makes use of single-DES, please
> see
>
https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html
> for documentation on how to transition to the AES encryption types.

Does this impact on the kadmin/history key as documented at


https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-history-key

Cheers,

Kenny.




--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: MIT krb5 release 1.18 will remove single-DES support

Greg Hudson
On 5/31/19 8:59 AM, Kenneth MacDonald wrote:
> On Tue, 2019-05-28 at 15:01 -0400, Greg Hudson wrote:
>> This is advance notice that the MIT krb5 1.18 release, planned for
>> near
>> the end of this year, will remove support for the single-DES
>> encryption
>> types

> Does this impact on the kadmin/history key as documented at
>
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-history-key

Yes; if the kadmin/history key uses a single-DES enctype, it will need
to be migrated, or change-password operations on principals with
policies will experience failures with 1.18.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: MIT krb5 release 1.18 will remove single-DES support

Kenneth MacDonald
On Fri, 2019-05-31 at 18:57 -0400, Greg Hudson wrote:

> On 5/31/19 8:59 AM, Kenneth MacDonald wrote:
> > On Tue, 2019-05-28 at 15:01 -0400, Greg Hudson wrote:
> > > This is advance notice that the MIT krb5 1.18 release, planned
> > > for
> > > near
> > > the end of this year, will remove support for the single-DES
> > > encryption
> > > types
> > Does this impact on the kadmin/history key as documented at
> >
> >
> >
https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-history-key
>
> Yes; if the kadmin/history key uses a single-DES enctype, it will
> need
> to be migrated, or change-password operations on principals with
> policies will experience failures with 1.18.

Thanks for clarifying that.  Can you further confirm or correct these
two assumptions I'm making following on from this ...

1/ Our kadmin/history key has a single-DES and and another enctype, so
we're safe for now.

2/ If we rekey the kadmin/hostory key then all previous password
history will be unavailable, so users will be able to reuse some
previously used passwords (those set when the old kadmin/history key
was in operation).

Cheers,

Kenny.



--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: MIT krb5 release 1.18 will remove single-DES support

Greg Hudson
On 6/3/19 6:17 AM, Kenneth MacDonald wrote:
> Thanks for clarifying that.  Can you further confirm or correct these
> two assumptions I'm making following on from this ...
>
> 1/ Our kadmin/history key has a single-DES and and another enctype, so
> we're safe for now.

Ordinarily kadmin/history only has one key; I guess this kadmin/history
entry was created with krb5-1.2 or earlier.

>From my reading of the code, if kadmin/history has multiple keys, only
the first key is used to create new history entries, and password change
operations will fail out if that key has an unsupported enctype.  So if
the first key is des-cbc-crc I would still expect an issue.

> 2/ If we rekey the kadmin/hostory key then all previous password
> history will be unavailable, so users will be able to reuse some
> previously used passwords (those set when the old kadmin/history key
> was in operation).

That is correct.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev