Kerberos: Bug or Feature ?

Thu, 10 May 2018 02:47:48 -0700 

On the Cryptography mailing list 
(http://www.metzdowd.com/pipermail/cryptography/2018-May/034150.html) 
a question came up, regarding Kerberos' ability to replace passwords in a 
secure way.
As John Gilmore pointed out, Kerberos on Ubuntu uses the outdated sha-1 hash, 
so I tried to find out
what Fedora does instead.

What I found confuses me.

In the directory /etc/krb5.conf.d you'll find a file named "crypto-policies" 
(which is a link actually) with the following
content:

[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 
camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 
camellia128-cts-cmac

I thought that the entries under permitted_enctypes would limit the 
cipher-suite that would be acceptable by my
brand-new F28 installation. So I deleted everything except the two 
cipher-suites I want to allow and changed the 
content of this file to: 

[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128

The result (after a fresh reboot) was that authentication to FEDORAPROJECT.ORG 
shows that still the
sha1 ciphersuite is being used. The same applies to my old F26 installation.

$ klist -e
Ticketzwischenspeicher: KEYRING:persistent:1000:1000
Standard-Principal: sende...@fedoraproject.org

Valid starting       Expires              Service principal
10.05.2018 11:28:27  11.05.2018 11:25:08  
HTTP/id.fedoraproject....@fedoraproject.org
        erneuern bis 17.05.2018 11:25:08, Etype (Skey, TKT): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
10.05.2018 11:28:27  11.05.2018 11:25:08  HTTP/id.fedoraproject.org@
        erneuern bis 17.05.2018 11:25:08, Etype (Skey, TKT): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
10.05.2018 11:25:14  11.05.2018 11:25:08  
krbtgt/fedoraproject....@fedoraproject.org
        erneuern bis 17.05.2018 11:25:08, Etype (Skey, TKT): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

Does anyone here know why the Kerberos crypto-policy does not do what it's 
supposed to do?

Ralf
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to