The krb5.conf generated during net ads join and weak enc types

Simo simo at samba.org
Tue Jun 16 17:29:30 MDT 2015


On Tue, 2015-06-16 at 12:00 -0700, Jeremy Allison wrote:
> On Tue, Jun 16, 2015 at 11:46:01AM -0700, Richard Sharpe wrote:
> > Hi folks,
> > 
> > Our paranoid security folks are saying that we must only allow the use
> > of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.
> > 
> > I notice that the krb5.conf file generated during net ads join
> > includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
> > and they suggest that we should remove them from the generated
> > krb5.conf.
> 
> Sounds good to me - do you want to log a bug so
> we can track this ?

Yes please, this is harder than you may think.(And generating files
stink in the first place, why do we still need that ?)

> > However, I notice that on the platform we are using, CentOS 6.x, the
> > default in the [libdefaults] section of krb5.conf is
> > 'allow_weak_crypto = false' so these should be weeded out anyway
> > shouldn't they unless we are silly enough to explicitly set it to
> > true?
> 
> Not sure, but it really shouldn't hurt to remove
> them. RC4 and DES are dead and starting to smell
> really bad :-).

RC4 is not weed out by allow_weak_crypto = false, and also it may be
necessary in some old (2003) Domains, which is why it was added I guess.

Simo.
-- 
Simo Sorce



More information about the samba-technical mailing list