[Samba] Strong cryptography for Kerberos available?
Lars Hanke
debian at lhanke.de
Sat Jul 5 10:11:14 MDT 2014
Am 04.07.2014 13:09, schrieb Andrew Bartlett:
> On Thu, 2014-07-03 at 22:54 +0200, Lars Hanke wrote:
>> If I query the AD DC I see:
>>
>> root at samba4:/# ldapsearch -H ldap://samba.ad.microsult.de -Y GSSAPI
>> '(sAMAccountName=mgr)'
>> SASL/GSSAPI authentication started
>> SASL username: Administrator at AD.MICROSULT.DE
>> SASL SSF: 56
>> SASL data security layer installed.
>>
>> I would like to see SASL SSF: 112. Does anyone know whether and where
>> this can be configured?
>
> I don't think it's actually that weak, but the SASL libs probably don't
> know how to tell any better. At the very least it would be using
> arcfour-hmac-md5, perhaps AES if provisioned at a high enough functional
> level.
Well, single DES can be brute-forced in less than a day using hardware
available at several universities. And there are people driving cars
worth more than such a hardware. This is weak!
Do I interpret your answer correctly that the choice of algorithms is
driven by SASL?
Kind regards,
- lars.
More information about the samba
mailing list