Hi Rainer, The DES only limitation of the afs/cell@REALM service principal was removed in the 2013 release of OpenAFS 1.4.15 and 1.6.5. Since those releases neither the server ticket key nor the session key are restricted to the des-cbc-crc encryption type. All cells should be upgraded to current versions of OpenAFS on the servers and should rekey the afs/cell@REALM service principal with the aes256-cts-hmac-sha1-96 encryption type.
This includes cells that have deployed gssklogd. If the KeyFile contains a des-cbc-crc key, the cell is vulnerable to the Brute Force Attacks described by http://www.openafs.org/pages/security/OPENAFS-SA-2013-003.txt Changing the service principal encryption type protects against this brute force attack. However, it is important to note that even when an aes256-cts-hmac-sha1-96 session key is negotiated, the OpenAFS client and server will derive from that key a 56-bit key to use for the fcrypt encryption type used by rxkad for wire security. Jeffrey Altman On 9/15/2020 12:32 PM, r. l. (rainer.laat...@t-online.de) wrote: > The simplest solution: use gssklog of D.E.Engert. The token then > comes from an AFS vlservers KeyFile > > and not from an entry afs/**@*** in some krb5kdc. Just run some gssklogd > and switch from aklog to > > gssklog in your profiles. Some times ago, even CERN.ch used it. > > The original tarfile can still be found at > > http://www.hep.man.ac.uk/u/masj/gssklog/ > > or try my updated version at > > http://95.217.219.185/ContribAFS/Gssklog-0.11.tar > > The binaries were done on ScientificLinux-6.10 with a newer KRB5 in > /opt/krb5/ > > and a static compilation of openafs (had to fix hcrypto and roken libs > there) > > > Best regards > > R. Laatsch > > > > > > > > > ================================================================= > > On 2020-09-14 10:32, ProbaNet SRLS wrote: >> Hello! >> >> Recent releases of krb5 (> 1.18) no longer support single des >> encryption (the "allow_weak_crypto = yes" option in krb5.conf client >> side has no longer effect), so now we get this error with "aklog -d": >> >> --- >> >> Kerberos error code returned by get_cred : -1765328370 >> aklog: Couldn't get XXXXX AFS tickets: >> aklog: KDC has no support for encryption type while getting AFS tickets >> >> --- >> >> How should we proceed? >> >> >> Stefano >> >> _______________________________________________ >> OpenAFS-info mailing list >> OpenAFS-info@openafs.org >> https://lists.openafs.org/mailman/listinfo/openafs-info > _______________________________________________ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
