[Samba] Strong cryptography for Kerberos available?
Andrew Bartlett
abartlet at samba.org
Sun Jul 6 02:59:33 MDT 2014
On Sat, 2014-07-05 at 18:11 +0200, Lars Hanke wrote:
> Am 04.07.2014 13:09, schrieb Andrew Bartlett:
> > On Thu, 2014-07-03 at 22:54 +0200, Lars Hanke wrote:
> >> If I query the AD DC I see:
> >>
> >> root at samba4:/# ldapsearch -H ldap://samba.ad.microsult.de -Y GSSAPI
> >> '(sAMAccountName=mgr)'
> >> SASL/GSSAPI authentication started
> >> SASL username: Administrator at AD.MICROSULT.DE
> >> SASL SSF: 56
> >> SASL data security layer installed.
> >>
> >> I would like to see SASL SSF: 112. Does anyone know whether and where
> >> this can be configured?
> >
> > I don't think it's actually that weak, but the SASL libs probably don't
> > know how to tell any better. At the very least it would be using
> > arcfour-hmac-md5, perhaps AES if provisioned at a high enough functional
> > level.
>
> Well, single DES can be brute-forced in less than a day using hardware
> available at several universities. And there are people driving cars
> worth more than such a hardware. This is weak!
And is disabled by default in all modern kerberos libs. See
'allow_weak_crypto' in krb5.conf.
> Do I interpret your answer correctly that the choice of algorithms is
> driven by SASL?
No, SASL has no part in selecting the kerberos crypto algorithm. The
strongest mutually supported algorithm is securely selected between the
KDC, client and server.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list