heimdal icon indicating copy to clipboard operation
heimdal copied to clipboard

Published 20 hours ago verified publisher icon heimdal

Update heimdal default_keys or at least remove deprecated enctypes?

Open eest opened this issue 2 years ago • 2 comments

Describe the bug The default enctype set used when creating principals includes deprecated enctypes:

https://github.com/heimdal/heimdal/blob/56b60a1a40022b651091933200dbefd087e32805/lib/hdb/keys.c#L79-L83 ... and... https://github.com/heimdal/heimdal/blob/56b60a1a40022b651091933200dbefd087e32805/lib/hdb/keys.c#L674-L679

and both RC4 and DES3 are considered deprecated, mentioned for example in the MIT docs: https://web.mit.edu/kerberos/krb5-latest/doc/admin/enctypes.html

To Reproduce Steps to reproduce the behavior:

  1. Run KDC master with no default_keys set in [kadmin] stanza
  2. Add new principal via kadmin
  3. Check selected enctypes

Expected behavior With no configured enctypes it seems deprecated encryption types should not be used by default. I am not sure what a proper default would be right now, maybe aes256-cts-hmac-sha384-192:pw-salt followed by aes256-cts-hmac-sha1-96:pw-salt?

eest avatar Apr 19 '22 09:04 eest

See also https://www.rfc-editor.org/rfc/rfc8429

abartlet avatar Aug 19 '22 03:08 abartlet

  1. kdc/config.c reads the "[kdc] disable-des" option to decide whether or not ETYPE_DES_XXXX should be disabled. Perhaps "disable-des" should become an alias for "disable-deprecated" and the list of encryption types to be disabled should include 3DES and RC4-HMAC. Note that RC4-HMAC is still required for interop with many Windows systems.
  2. For a new default_keytypes[] is there any reason not to include both aes256-cts-hmac-sha384-192 and aes128-cts-hmac-sha256-128?

jaltman avatar Sep 16 '22 21:09 jaltman

  1. kdc/config.c reads the "[kdc] disable-des" option to decide whether or not ETYPE_DES_XXXX should be disabled. Perhaps "disable-des" should become an alias for "disable-deprecated" and the list of encryption types to be disabled should include 3DES and RC4-HMAC. Note that RC4-HMAC is still required for interop with many Windows systems.

AFAIK if you only have modern Windows OSes it's fine if you just enables AES on your trusts, see https://techcommunity.microsoft.com/t5/itops-talk-blog/tough-questions-answered-can-i-disable-rc4-etype-for-kerberos-on/ba-p/382718 I guess it should be noted somewhere? I'm all for leaving the old behind as long as an escape hatch is documented.

2. For a new default_keytypes[] is there any reason not to include both aes256-cts-hmac-sha384-192 and aes128-cts-hmac-sha256-128?

The only use case that I know of is it you use Java =<8 you only had AES128 by default and had to add Java Cryptographic Extension to get AES256 but since Java >8 you always get AES256.

simmel avatar Jan 11 '23 20:01 simmel