[Samba] Strong cryptography for Kerberos available?

Harry Jede walk2sun at arcor.de
Sat Jul 5 16:14:28 MDT 2014


On 23:47:23 wrote Lars Hanke:
> Am 04.07.2014 13:09, schrieb Andrew Bartlett:
> > On Thu, 2014-07-03 at 22:54 +0200, Lars Hanke wrote:
> >> If I query the AD DC I see:
> >> 
> >> root at samba4:/# ldapsearch -H  ldap://samba.ad.microsult.de -Y
> >> GSSAPI '(sAMAccountName=mgr)'
> >> SASL/GSSAPI authentication started
> >> SASL username: Administrator at AD.MICROSULT.DE
> >> SASL SSF: 56
> >> SASL data security layer installed.
> >> 
> >> I would like to see SASL SSF: 112. Does anyone know whether and
> >> where this can be configured?
> > 
> > I don't think it's actually that weak, but the SASL libs probably
> > don't know how to tell any better.  At the very least it would be
> > using arcfour-hmac-md5, perhaps AES if provisioned at a high
> > enough functional level.
> 
> Well, single DES can be brute-forced in less than a day using
> hardware available at several universities. And there are people
> driving cars worth more than such a hardware. This is weak!
> 
> Do I interpret your answer correctly that the choice of algorithms is
> driven by SASL?
Yes and No!

SASL does not know which SSF kerberos use. So SASL answers always with 
SSF 56. SSF 56 (DES) is the minimum SSF any kerberos implementation use.

Some SASL versions assume that triple-DES is available and report 112, 
depending on the Kerberos library you compiled with.

If you use TLS or SSL SSF is reliable, if you use kerberos, check your 
kerberos configuration.

> 
> Kind regards,
>   - lars.


-- 

regards
	Harry Jede


More information about the samba mailing list