kadmin and enctype

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

kadmin and enctype

Victor Sudakov
Dear Colleagues,

"kadmin -l" by default creates principals with the following Keytypes:
aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt),
arcfour-hmac-md5(pw-salt).

How do I create a principal with the weak des-cbc-crc keytype? The
"add" command does not seem to support the specification of
encryption types.

There is an option "allow_weak_crypto = true" for krb5.conf, but I
don't understand in which section it should be for "kadmin -l" to
honour it.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859
Reply | Threaded
Open this post in threaded view
|

Re: kadmin and enctype

Nico Williams
On Wed, Oct 11, 2017 at 05:47:58PM +0700, Victor Sudakov wrote:

> "kadmin -l" by default creates principals with the following Keytypes:
> aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt),
> arcfour-hmac-md5(pw-salt).
>
> How do I create a principal with the weak des-cbc-crc keytype? The
> "add" command does not seem to support the specification of
> encryption types.
>
> There is an option "allow_weak_crypto = true" for krb5.conf, but I
> don't understand in which section it should be for "kadmin -l" to
> honour it.

Hmmm, yeah, we don't have a -e argument for specifying a list of
enctypes (or, rather, keysalttype).

Anyways, you can set the [kadmin] section default_keys parameter to a
list of keysalttypes like so:

[kadmin]
      default_keys = aes256-cts-hmac-sha1-96:pw-salt
      default_keys = des3-cbc-sha1:pw-salt
      default_keys = arcfour-hmac-md5:pw-salt

(That's the baked-in default list, FYI.  We should probably drop des3
and arcfour and add aes128.)

Nico
--
Reply | Threaded
Open this post in threaded view
|

Re: kadmin and enctype

Victor Sudakov
Nico Williams wrote:

> On Wed, Oct 11, 2017 at 05:47:58PM +0700, Victor Sudakov wrote:
> > "kadmin -l" by default creates principals with the following Keytypes:
> > aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt),
> > arcfour-hmac-md5(pw-salt).
> >
> > How do I create a principal with the weak des-cbc-crc keytype? The
> > "add" command does not seem to support the specification of
> > encryption types.
> >
> > There is an option "allow_weak_crypto = true" for krb5.conf, but I
> > don't understand in which section it should be for "kadmin -l" to
> > honour it.
>
> Hmmm, yeah, we don't have a -e argument for specifying a list of
> enctypes (or, rather, keysalttype).
>
> Anyways, you can set the [kadmin] section default_keys parameter to a
> list of keysalttypes like so:
>
> [kadmin]
>       default_keys = aes256-cts-hmac-sha1-96:pw-salt
>       default_keys = des3-cbc-sha1:pw-salt
>       default_keys = arcfour-hmac-md5:pw-salt
>
> (That's the baked-in default list, FYI.  We should probably drop des3
> and arcfour and add aes128.)
>

Many thanks, this worked.

I have made a note to memorize this: https://victor-sudakov.dreamwidth.org/424888.html 

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859