|
Packit |
fd8b60 |
.. _retiring-des:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Retiring DES
|
|
Packit |
fd8b60 |
=======================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Version 5 of the Kerberos protocol was originally implemented using
|
|
Packit |
fd8b60 |
the Data Encryption Standard (DES) as a block cipher for encryption.
|
|
Packit |
fd8b60 |
While it was considered secure at the time, advancements in computational
|
|
Packit |
fd8b60 |
ability have rendered DES vulnerable to brute force attacks on its 56-bit
|
|
Packit |
fd8b60 |
keyspace. As such, it is now considered insecure and should not be
|
|
Packit |
fd8b60 |
used (:rfc:`6649`).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
History
|
|
Packit |
fd8b60 |
-------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
DES was used in the original Kerberos implementation, and was the
|
|
Packit |
fd8b60 |
only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was
|
|
Packit |
fd8b60 |
added in version 1.1, with full support following in version 1.2.
|
|
Packit |
fd8b60 |
The Advanced Encryption Standard (AES), which supersedes DES, gained
|
|
Packit |
fd8b60 |
partial support in version 1.3.0 of krb5 and full support in version 1.3.2.
|
|
Packit |
fd8b60 |
However, deployments of krb5 using Kerberos databases created with older
|
|
Packit |
fd8b60 |
versions of krb5 will not necessarily start using strong crypto for
|
|
Packit |
fd8b60 |
ordinary operation without administrator intervention.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
MIT krb5 began flagging deprecated encryption types with release 1.17,
|
|
Packit |
fd8b60 |
and removed DES (single-DES) support in release 1.18. As a
|
|
Packit |
fd8b60 |
consequence, a release prior to 1.18 is required to perform these
|
|
Packit |
fd8b60 |
migrations.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Types of keys
|
|
Packit |
fd8b60 |
-------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* The database master key: This key is not exposed to user requests,
|
|
Packit |
fd8b60 |
but is used to encrypt other key material stored in the kerberos
|
|
Packit |
fd8b60 |
database. The database master key is currently stored as ``K/M``
|
|
Packit |
fd8b60 |
by default.
|
|
Packit |
fd8b60 |
* Password-derived keys: User principals frequently have keys
|
|
Packit |
fd8b60 |
derived from a password. When a new password is set, the KDC
|
|
Packit |
fd8b60 |
uses various string2key functions to generate keys in the database
|
|
Packit |
fd8b60 |
for that principal.
|
|
Packit |
fd8b60 |
* Keytab keys: Application server principals generally use random
|
|
Packit |
fd8b60 |
keys which are not derived from a password. When the database
|
|
Packit |
fd8b60 |
entry is created, the KDC generates random keys of various enctypes
|
|
Packit |
fd8b60 |
to enter in the database, which are conveyed to the application server
|
|
Packit |
fd8b60 |
and stored in a keytab.
|
|
Packit |
fd8b60 |
* Session keys: These are short-term keys generated by the KDC while
|
|
Packit |
fd8b60 |
processing client requests, with an enctype selected by the KDC.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For details on the various enctypes and how enctypes are selected by the KDC
|
|
Packit |
fd8b60 |
for session keys and client/server long-term keys, see :ref:`enctypes`.
|
|
Packit |
fd8b60 |
When using the :ref:`kadmin(1)` interface to generate new long-term keys,
|
|
Packit |
fd8b60 |
the **-e** argument can be used to force a particular set of enctypes,
|
|
Packit |
fd8b60 |
overriding the KDC default values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
When the KDC is selecting a session key, it has no knowledge about the
|
|
Packit |
fd8b60 |
kerberos installation on the server which will receive the service ticket,
|
|
Packit |
fd8b60 |
only what keys are in the database for the service principal.
|
|
Packit |
fd8b60 |
In order to allow uninterrupted operation to
|
|
Packit |
fd8b60 |
clients while migrating away from DES, care must be taken to ensure that
|
|
Packit |
fd8b60 |
kerberos installations on application server machines are configured to
|
|
Packit |
fd8b60 |
support newer encryption types before keys of those new encryption types
|
|
Packit |
fd8b60 |
are created in the Kerberos database for those server principals.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Upgrade procedure
|
|
Packit |
fd8b60 |
-----------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This procedure assumes that the KDC software has already been upgraded
|
|
Packit |
fd8b60 |
to a modern version of krb5 that supports non-DES keys, so that the
|
|
Packit |
fd8b60 |
only remaining task is to update the actual keys used to service requests.
|
|
Packit |
fd8b60 |
The realm used for demonstrating this procedure, ZONE.MIT.EDU,
|
|
Packit |
fd8b60 |
is an example of the worst-case scenario, where all keys in the realm
|
|
Packit |
fd8b60 |
are DES. The realm was initially created with a very old version of krb5,
|
|
Packit |
fd8b60 |
and **supported_enctypes** in :ref:`kdc.conf(5)` was set to a value
|
|
Packit |
fd8b60 |
appropriate when the KDC was installed, but was not updated as the KDC
|
|
Packit |
fd8b60 |
was upgraded:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
ZONE.MIT.EDU = {
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
master_key_type = des-cbc-crc
|
|
Packit |
fd8b60 |
supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This resulted in the keys for all principals in the realm being forced
|
|
Packit |
fd8b60 |
to DES-only, unless specifically requested using :ref:`kadmin(1)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Before starting the upgrade, all KDCs were running krb5 1.11,
|
|
Packit |
fd8b60 |
and the database entries for some "high-value" principals were:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
Number of keys: 1
|
|
Packit |
fd8b60 |
Key: vno 1, des-cbc-crc:v4
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin'
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
Number of keys: 1
|
|
Packit |
fd8b60 |
Key: vno 15, des-cbc-crc
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw'
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
Number of keys: 1
|
|
Packit |
fd8b60 |
Key: vno 14, des-cbc-crc
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The ``krbtgt/REALM`` key appears to have never been changed since creation
|
|
Packit |
fd8b60 |
(its kvno is 1), and all three database entries have only a des-cbc-crc key.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The krbtgt key and KDC keys
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Perhaps the biggest single-step improvement in the security of the cell
|
|
Packit |
fd8b60 |
is gained by strengthening the key of the ticket-granting service principal,
|
|
Packit |
fd8b60 |
``krbtgt/REALM``---if this principal's key is compromised, so is the
|
|
Packit |
fd8b60 |
entire realm. Since the server that will handle service tickets
|
|
Packit |
fd8b60 |
for this principal is the KDC itself, it is easy to guarantee that it
|
|
Packit |
fd8b60 |
will be configured to support any encryption types which might be
|
|
Packit |
fd8b60 |
selected. However, the default KDC behavior when creating new keys is to
|
|
Packit |
fd8b60 |
remove the old keys, which would invalidate all existing tickets issued
|
|
Packit |
fd8b60 |
against that principal, rendering the TGTs cached by clients useless.
|
|
Packit |
fd8b60 |
Instead, a new key can be created with the old key retained, so that
|
|
Packit |
fd8b60 |
existing tickets will still function until their scheduled expiry
|
|
Packit |
fd8b60 |
(see :ref:`changing_krbtgt_key`).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\
|
|
Packit |
fd8b60 |
> aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \
|
|
Packit |
fd8b60 |
> -keepold krbtgt/ZONE.MIT.EDU"
|
|
Packit |
fd8b60 |
Authenticating as principal root/admin@ZONE.MIT.EDU with password.
|
|
Packit |
fd8b60 |
Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The new ``krbtgt@REALM`` key should be propagated to replica KDCs
|
|
Packit |
fd8b60 |
immediately so that TGTs issued by the master KDC can be used to
|
|
Packit |
fd8b60 |
issue service tickets on replica KDCs. Replica KDCs will refuse
|
|
Packit |
fd8b60 |
requests using the new TGT kvno until the new krbtgt entry has
|
|
Packit |
fd8b60 |
been propagated to them.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
It is necessary to explicitly specify the enctypes for the new database
|
|
Packit |
fd8b60 |
entry, since **supported_enctypes** has not been changed. Leaving
|
|
Packit |
fd8b60 |
**supported_enctypes** unchanged makes a potential rollback operation
|
|
Packit |
fd8b60 |
easier, since all new keys of new enctypes are the result of explicit
|
|
Packit |
fd8b60 |
administrator action and can be easily enumerated.
|
|
Packit |
fd8b60 |
Upgrading the krbtgt key should have minimal user-visible disruption other
|
|
Packit |
fd8b60 |
than that described in the note above, since only clients which list the
|
|
Packit |
fd8b60 |
new enctypes as supported will use them, per the procedure
|
|
Packit |
fd8b60 |
in :ref:`session_key_selection`.
|
|
Packit |
fd8b60 |
Once the krbtgt key is updated, the session and ticket keys for user
|
|
Packit |
fd8b60 |
TGTs will be strong keys, but subsequent requests
|
|
Packit |
fd8b60 |
for service tickets will still get DES keys until the service principals
|
|
Packit |
fd8b60 |
have new keys generated. Application service
|
|
Packit |
fd8b60 |
remains uninterrupted due to the key-selection procedure on the KDC.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
After the change, the database entry is now:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
Number of keys: 5
|
|
Packit |
fd8b60 |
Key: vno 2, aes256-cts-hmac-sha1-96
|
|
Packit |
fd8b60 |
Key: vno 2, aes128-cts-hmac-sha1-96
|
|
Packit |
fd8b60 |
Key: vno 2, des3-cbc-sha1
|
|
Packit |
fd8b60 |
Key: vno 2, des-cbc-crc
|
|
Packit |
fd8b60 |
Key: vno 1, des-cbc-crc:v4
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Since the expected disruptions from rekeying the krbtgt principal are
|
|
Packit |
fd8b60 |
minor, after a short testing period, it is
|
|
Packit |
fd8b60 |
appropriate to rekey the other high-value principals, ``kadmin/admin@REALM``
|
|
Packit |
fd8b60 |
and ``kadmin/changepw@REALM``. These are the service principals used for
|
|
Packit |
fd8b60 |
changing user passwords and updating application keytabs. The kadmin
|
|
Packit |
fd8b60 |
and password-changing services are regular kerberized services, so the
|
|
Packit |
fd8b60 |
session-key-selection algorithm described in :ref:`session_key_selection`
|
|
Packit |
fd8b60 |
applies. It is particularly important to have strong session keys for
|
|
Packit |
fd8b60 |
these services, since user passwords and new long-term keys are conveyed
|
|
Packit |
fd8b60 |
over the encrypted channel.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\
|
|
Packit |
fd8b60 |
> aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \
|
|
Packit |
fd8b60 |
> kadmin/admin"
|
|
Packit |
fd8b60 |
Authenticating as principal root/admin@ZONE.MIT.EDU with password.
|
|
Packit |
fd8b60 |
Key for "kadmin/admin@ZONE.MIT.EDU" randomized.
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \
|
|
Packit |
fd8b60 |
> kadmin/changepw"
|
|
Packit |
fd8b60 |
Authenticating as principal root/admin@ZONE.MIT.EDU with password.
|
|
Packit |
fd8b60 |
Key for "kadmin/changepw@ZONE.MIT.EDU" randomized.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
It is not necessary to retain a single-DES key for these services, since
|
|
Packit |
fd8b60 |
password changes are not part of normal daily workflow, and disruption
|
|
Packit |
fd8b60 |
from a client failure is likely to be minimal. Furthermore, if a kerberos
|
|
Packit |
fd8b60 |
client experiences failure changing a user password or keytab key,
|
|
Packit |
fd8b60 |
this indicates that that client will become inoperative once services
|
|
Packit |
fd8b60 |
are rekeyed to non-DES enctypes. Such problems can be detected early
|
|
Packit |
fd8b60 |
at this stage, giving more time for corrective action.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Adding strong keys to application servers
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Before switching the default enctypes for new keys over to strong enctypes,
|
|
Packit |
fd8b60 |
it may be desired to test upgrading a handful of services with the
|
|
Packit |
fd8b60 |
new configuration before flipping the switch for the defaults. This
|
|
Packit |
fd8b60 |
still requires using the **-e** argument in :ref:`kadmin(1)` to get non-default
|
|
Packit |
fd8b60 |
enctypes:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\
|
|
Packit |
fd8b60 |
> aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \
|
|
Packit |
fd8b60 |
> /etc/zephyr/krb5.keytab -q "ktadd -e ${enctypes} \
|
|
Packit |
fd8b60 |
> -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU"
|
|
Packit |
fd8b60 |
Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Be sure to remove the old keys from the application keytab, per best
|
|
Packit |
fd8b60 |
practice.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold
|
|
Packit |
fd8b60 |
Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Adding strong keys by default
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
Once the high-visibility services have been rekeyed, it is probably
|
|
Packit |
fd8b60 |
appropriate to change :ref:`kdc.conf(5)` to generate keys with the new
|
|
Packit |
fd8b60 |
encryption types by default. This enables server administrators to generate
|
|
Packit |
fd8b60 |
new enctypes with the **change** subcommand of :ref:`k5srvutil(1)`,
|
|
Packit |
fd8b60 |
and causes user password
|
|
Packit |
fd8b60 |
changes to add new encryption types for their entries. It will probably
|
|
Packit |
fd8b60 |
be necessary to implement administrative controls to cause all user
|
|
Packit |
fd8b60 |
principal keys to be updated in a reasonable period of time, whether
|
|
Packit |
fd8b60 |
by forcing password changes or a password synchronization service that
|
|
Packit |
fd8b60 |
has access to the current password and can add the new keys.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
ZONE.MIT.EDU = {
|
|
Packit |
fd8b60 |
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The krb5kdc process must be restarted for these changes to take effect.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
At this point, all service administrators can update their services and the
|
|
Packit |
fd8b60 |
servers behind them to take advantage of strong cryptography.
|
|
Packit |
fd8b60 |
If necessary, the server's krb5 installation should be configured and/or
|
|
Packit |
fd8b60 |
upgraded to a version supporting non-DES keys. See :ref:`enctypes` for
|
|
Packit |
fd8b60 |
krb5 version and configuration settings.
|
|
Packit |
fd8b60 |
Only when the service is configured to accept non-DES keys should
|
|
Packit |
fd8b60 |
the key version number be incremented and new keys generated
|
|
Packit |
fd8b60 |
(``k5srvutil change && k5srvutil delold``).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
root@dr-willy:~# k5srvutil change
|
|
Packit |
fd8b60 |
Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
|
|
Packit |
fd8b60 |
root@dr-willy:~# klist -e -k -t /etc/krb5.keytab
|
|
Packit |
fd8b60 |
Keytab name: WRFILE:/etc/krb5.keytab
|
|
Packit |
fd8b60 |
KVNO Timestamp Principal
|
|
Packit |
fd8b60 |
---- ----------------- --------------------------------------------------------
|
|
Packit |
fd8b60 |
2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32)
|
|
Packit |
fd8b60 |
3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC)
|
|
Packit |
fd8b60 |
3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC)
|
|
Packit |
fd8b60 |
3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1)
|
|
Packit |
fd8b60 |
3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32)
|
|
Packit |
fd8b60 |
root@dr-willy:~# k5srvutil delold
|
|
Packit |
fd8b60 |
Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab.
|
|
Packit |
fd8b60 |
Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
When a single service principal is shared by multiple backend servers in
|
|
Packit |
fd8b60 |
a load-balanced environment, it may be necessary to schedule downtime
|
|
Packit |
fd8b60 |
or adjust the population in the load-balanced pool in order to propagate
|
|
Packit |
fd8b60 |
the updated keytab to all hosts in the pool with minimal service interruption.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Removing DES keys from usage
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This situation remains something of a testing or transitory state,
|
|
Packit |
fd8b60 |
as new DES keys are still being generated, and will be used if requested
|
|
Packit |
fd8b60 |
by a client. To make more progress removing DES from the realm, the KDC
|
|
Packit |
fd8b60 |
should be configured to not generate such keys by default.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
An attacker posing as a client can implement a brute force attack against
|
|
Packit |
fd8b60 |
a DES key for any principal, if that key is in the current (highest-kvno)
|
|
Packit |
fd8b60 |
key list. This attack is only possible if **allow_weak_crypto = true**
|
|
Packit |
fd8b60 |
is enabled on the KDC. Setting the **+requires_preauth** flag on a
|
|
Packit |
fd8b60 |
principal forces this attack to be an online attack, much slower than
|
|
Packit |
fd8b60 |
the offline attack otherwise available to the attacker. However, setting
|
|
Packit |
fd8b60 |
this flag on a service principal is not always advisable; see the entry in
|
|
Packit |
fd8b60 |
:ref:`add_principal` for details.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following KDC configuration will not generate DES keys by default:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[realms]
|
|
Packit |
fd8b60 |
ZONE.MIT.EDU = {
|
|
Packit |
fd8b60 |
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
As before, the KDC process must be restarted for this change to take
|
|
Packit |
fd8b60 |
effect. It is best practice to update kdc.conf on all KDCs, not just the
|
|
Packit |
fd8b60 |
master, to avoid unpleasant surprises should the master fail and a
|
|
Packit |
fd8b60 |
replica need to be promoted.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
It is now appropriate to remove the legacy single-DES key from the
|
|
Packit |
fd8b60 |
``krbtgt/REALM`` entry:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \
|
|
Packit |
fd8b60 |
> krbtgt/ZONE.MIT.EDU"
|
|
Packit |
fd8b60 |
Authenticating as principal host/admin@ATHENA.MIT.EDU with password.
|
|
Packit |
fd8b60 |
Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
After the maximum ticket lifetime has passed, the old database entry
|
|
Packit |
fd8b60 |
should be removed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU'
|
|
Packit |
fd8b60 |
Authenticating as principal root/admin@ZONE.MIT.EDU with password.
|
|
Packit |
fd8b60 |
Old keys for principal "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" purged.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
After the KDC is restarted with the new **supported_enctypes**,
|
|
Packit |
fd8b60 |
all user password changes and application keytab updates will not
|
|
Packit |
fd8b60 |
generate DES keys by default.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU
|
|
Packit |
fd8b60 |
Password for zonetest@ZONE.MIT.EDU: [enter old password]
|
|
Packit |
fd8b60 |
Enter new password: [enter new password]
|
|
Packit |
fd8b60 |
Enter it again: [enter new password]
|
|
Packit |
fd8b60 |
Password changed.
|
|
Packit |
fd8b60 |
contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest'
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
Number of keys: 3
|
|
Packit |
fd8b60 |
Key: vno 9, aes256-cts-hmac-sha1-96
|
|
Packit |
fd8b60 |
Key: vno 9, aes128-cts-hmac-sha1-96
|
|
Packit |
fd8b60 |
Key: vno 9, des3-cbc-sha1
|
|
Packit |
fd8b60 |
[...]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \
|
|
Packit |
fd8b60 |
> -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU'
|
|
Packit |
fd8b60 |
Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab.
|
|
Packit |
fd8b60 |
Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab.
|
|
Packit |
fd8b60 |
Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab.
|
|
Packit |
fd8b60 |
Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Once all principals have been re-keyed, DES support can be disabled on the
|
|
Packit |
fd8b60 |
KDC (**allow_weak_crypto = false**), and client machines can remove
|
|
Packit |
fd8b60 |
**allow_weak_crypto = true** from their :ref:`krb5.conf(5)` configuration
|
|
Packit |
fd8b60 |
files, completing the migration. **allow_weak_crypto** takes precedence over
|
|
Packit |
fd8b60 |
all places where DES enctypes could be explicitly configured. DES keys will
|
|
Packit |
fd8b60 |
not be used, even if they are present, when **allow_weak_crypto = false**.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Support for legacy services
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If there remain legacy services which do not support non-DES enctypes
|
|
Packit |
fd8b60 |
(such as older versions of AFS), **allow_weak_crypto** must remain
|
|
Packit |
fd8b60 |
enabled on the KDC. Client machines need not have this setting,
|
|
Packit |
fd8b60 |
though---applications which require DES can use API calls to allow
|
|
Packit |
fd8b60 |
weak crypto on a per-request basis, overriding the system krb5.conf.
|
|
Packit |
fd8b60 |
However, having **allow_weak_crypto** set on the KDC means that any
|
|
Packit |
fd8b60 |
principals which have a DES key in the database could still use those
|
|
Packit |
fd8b60 |
keys. To minimize the use of DES in the realm and restrict it to just
|
|
Packit |
fd8b60 |
legacy services which require DES, it is necessary to remove all other
|
|
Packit |
fd8b60 |
DES keys. The realm has been configured such that at password and
|
|
Packit |
fd8b60 |
keytab change, no DES keys will be generated by default. The task
|
|
Packit |
fd8b60 |
then reduces to requiring user password changes and having server
|
|
Packit |
fd8b60 |
administrators update their service keytabs. Administrative outreach
|
|
Packit |
fd8b60 |
will be necessary, and if the desire to eliminate DES is sufficiently
|
|
Packit |
fd8b60 |
strong, the KDC administrators may choose to randkey any principals
|
|
Packit |
fd8b60 |
which have not been rekeyed after some timeout period, forcing the
|
|
Packit |
fd8b60 |
user to contact the helpdesk for access.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The Database Master Key
|
|
Packit |
fd8b60 |
-----------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This procedure does not alter ``K/M@REALM``, the key used to encrypt key
|
|
Packit |
fd8b60 |
material in the Kerberos database. (This is the key stored in the stash file
|
|
Packit |
fd8b60 |
on the KDC if stash files are used.) However, the security risk of
|
|
Packit |
fd8b60 |
a single-DES key for ``K/M`` is minimal, given that access to material
|
|
Packit |
fd8b60 |
encrypted in ``K/M`` (the Kerberos database) is generally tightly controlled.
|
|
Packit |
fd8b60 |
If an attacker can gain access to the encrypted database, they likely
|
|
Packit |
fd8b60 |
have access to the stash file as well, rendering the weak cryptography
|
|
Packit |
fd8b60 |
broken by non-cryptographic means. As such, upgrading ``K/M`` to a stronger
|
|
Packit |
fd8b60 |
encryption type is unlikely to be a high-priority task.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Is is possible to upgrade the master key used for the database, if
|
|
Packit |
fd8b60 |
desired. Using :ref:`kdb5_util(8)`'s **add_mkey**, **use_mkey**, and
|
|
Packit |
fd8b60 |
**update_princ_encryption** commands, a new master key can be added
|
|
Packit |
fd8b60 |
and activated for use on new key material, and the existing entries
|
|
Packit |
fd8b60 |
converted to the new master key.
|