1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Re: Kerberos Digest, Vol 225, Issue 1

    From Hanuman Ram Huda@21:1/5 to kerberos-request@mit.edu on Sun Oct 3 21:52:09 2021
    you should be able to create new master key with new encryption then
    migrate principal DB with new master key then you should use updated
    principal DB, updated master and add new line for master key encryption.

    On Sun, Oct 3, 2021 at 9:33 PM <kerberos-request@mit.edu> wrote:

    Send Kerberos mailing list submissions to
    kerberos@mit.edu

    To subscribe or unsubscribe via the World Wide Web, visit
    https://mailman.mit.edu/mailman/listinfo/kerberos
    or, via email, send a message with subject or body 'help' to
    kerberos-request@mit.edu

    You can reach the person managing the list at
    kerberos-owner@mit.edu

    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of Kerberos digest..."


    Today's Topics:

    1. master key type in kdc.conf (Dan Mahoney (Gushi))
    2. supported enctypes: what is the net effect of removing 3des?
    (Dan Mahoney (Gushi))


    ----------------------------------------------------------------------

    Message: 1
    Date: Sun, 3 Oct 2021 00:36:23 -0700 (PDT)
    From: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
    Subject: master key type in kdc.conf
    To: kerberos@mit.edu
    Message-ID: <7dedcb59-f09e-54ed-a0ce-5b5aac3357d@prime.gushi.org> Content-Type: text/plain; format=flowed; charset=US-ASCII

    Hey all,

    We're in the process of rolling our mkey to get off 3des, and we found
    that someone in the before-times has put this line in our kdc.conf:

    master_key_type = des3-hmac-sha1

    Obviously, that's not going to be the master key type of the new key, and
    of course, I think when this command came out, there was no "use mkey" format, so this was perhaps a primitive rollover method?

    Would things break if I just took this line out? Or would the kdc fail to start because a K/M of the default enctype isn't present yet?

    Does it make sense to remove this line before rollover or after?
    (This might be worth a mention in the docs).

    -Dan

    --

    --------Dan Mahoney--------
    Techie, Sysadmin, WebGeek
    Gushi on efnet/undernet IRC
    FB: fb.com/DanielMahoneyIV
    LI: linkedin.com/in/gushi
    Site: http://www.gushi.org
    ---------------------------



    ------------------------------

    Message: 2
    Date: Sun, 3 Oct 2021 02:34:32 -0700 (PDT)
    From: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
    Subject: supported enctypes: what is the net effect of removing 3des?
    To: kerberos@mit.edu
    Message-ID: <bb892711-eafc-c111-20a2-f18ecfb23d3e@prime.gushi.org> Content-Type: text/plain; format=flowed; charset=US-ASCII

    Hey there. My org is moving off 3des.

    My reading of "supported_enctypes" is simply that it will stop kadmin/the
    KDC from generating NEW keys of an older type, correct? That if I do a
    cpw without -keepold, those keys will be removed -- but otherwise, the KDC will not act as though a user with 3des-only keys doesn't exist.

    Changing it should not break any authentication or tickets? Or will the
    kdc then refuse to issue TGT's that use that type at all? (It seems like that would be affected by the similarly named permitted_enctypes, tho).

    -Dan

    --

    --------Dan Mahoney--------
    Techie, Sysadmin, WebGeek
    Gushi on efnet/undernet IRC
    FB: fb.com/DanielMahoneyIV
    LI: linkedin.com/in/gushi
    Site: http://www.gushi.org
    ---------------------------



    ------------------------------

    _______________________________________________
    Kerberos mailing list
    Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


    End of Kerberos Digest, Vol 225, Issue 1 ****************************************



    --
    *Thanks & Regards*
    *Hanuman Huda*

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)