Package: krb5-kdc
Version: 1.12.1+dfsg-19+deb8u1
Severity: normal
Hello! I was recently installing and configuring a new Kerberos 5 realm
when I realized that my krbtgt had two different DES keys:
# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: getprinc krbtgt/[email protected]
Principal: krbtgt/[email protected]
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Dec 03 00:10:37 UTC 2015 ([email protected])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
I was a bit confused: allow_weak_crypto defaults to false, so why would
the des-cbc-crc and des-cbc-md5 keys be generated?
I discovered that the Debian kdc.conf supports by default a number of
single DES encryption types:
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:afs3
And it looks like /etc/krb5kdc/kdc.conf is coming from
/usr/share/krb5-kdc/kdc.conf.template, in krb5-kdc:
/var/lib/dpkg/info/krb5-kdc.postinst:
/usr/share/krb5-kdc/kdc.conf.template > /etc/krb5kdc/kdc.conf
The file /usr/share/doc/krb5-kdc/examples/kdc.conf is also affected.
Since I was very early on in the installation process, I updated the kdc
configuration, removed the database, and regenerated the realm. I
verified this gets rid of the DES keys:
# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: getprinc krbtgt/[email protected]
Principal: krbtgt/[email protected]
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 12:00:00
Maximum renewable life: 1 day 00:00:00
Last modified: Thu Dec 03 03:59:04 UTC 2015 ([email protected])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
RFC 6649[*] has specified the deprecation of DES in implementations and
deployments of Kerberos. It would be really great if you could remove
these settings from the default config.
Thanks!
- e
[*] http://tools.ietf.org/html/rfc6649.html
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages krb5-kdc depends on:
ii debconf [debconf-2.0] 1.5.56
ii init-system-helpers 1.22
ii krb5-config 2.3
ii krb5-user 1.12.1+dfsg-19+deb8u1
ii libc6 2.19-18+deb8u1
ii libcomerr2 1.42.12-1.1
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u1
ii libgssrpc4 1.12.1+dfsg-19+deb8u1
ii libk5crypto3 1.12.1+dfsg-19+deb8u1
ii libkadm5clnt-mit9 1.12.1+dfsg-19+deb8u1
ii libkadm5srv-mit9 1.12.1+dfsg-19+deb8u1
ii libkdb5-7 1.12.1+dfsg-19+deb8u1
ii libkeyutils1 1.5.9-5+b1
ii libkrb5-3 1.12.1+dfsg-19+deb8u1
ii libkrb5support0 1.12.1+dfsg-19+deb8u1
ii libverto-libev1 0.2.4-2
ii libverto1 0.2.4-2
ii lsb-base 4.1+Debian13+nmu1
krb5-kdc recommends no packages.
Versions of packages krb5-kdc suggests:
ii krb5-admin-server 1.12.1+dfsg-19+deb8u1
pn krb5-kdc-ldap <none>
ii xinetd [inet-superserver] 1:2.3.15-3
-- debconf information:
krb5-kdc/debconf: true
krb5-kdc/purge_data_too: false
