[Samba] Strong cryptography for Kerberos available?
abartlet at samba.org
Sun Jul 6 02:59:33 MDT 2014
On Sat, 2014-07-05 at 18:11 +0200, Lars Hanke wrote:
> Am 04.07.2014 13:09, schrieb Andrew Bartlett:
> > On Thu, 2014-07-03 at 22:54 +0200, Lars Hanke wrote:
> >> If I query the AD DC I see:
> >> root at samba4:/# ldapsearch -H ldap://samba.ad.microsult.de -Y GSSAPI
> >> '(sAMAccountName=mgr)'
> >> SASL/GSSAPI authentication started
> >> SASL username: Administrator at AD.MICROSULT.DE
> >> SASL SSF: 56
> >> SASL data security layer installed.
> >> I would like to see SASL SSF: 112. Does anyone know whether and where
> >> this can be configured?
> > I don't think it's actually that weak, but the SASL libs probably don't
> > know how to tell any better. At the very least it would be using
> > arcfour-hmac-md5, perhaps AES if provisioned at a high enough functional
> > level.
> Well, single DES can be brute-forced in less than a day using hardware
> available at several universities. And there are people driving cars
> worth more than such a hardware. This is weak!
And is disabled by default in all modern kerberos libs. See
'allow_weak_crypto' in krb5.conf.
> Do I interpret your answer correctly that the choice of algorithms is
> driven by SASL?
No, SASL has no part in selecting the kerberos crypto algorithm. The
strongest mutually supported algorithm is securely selected between the
KDC, client and server.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba