1*7f2fe78bSCy Schubert 2*7f2fe78bSCy Schubert<!DOCTYPE html> 3*7f2fe78bSCy Schubert 4*7f2fe78bSCy Schubert<html> 5*7f2fe78bSCy Schubert <head> 6*7f2fe78bSCy Schubert <meta charset="utf-8" /> 7*7f2fe78bSCy Schubert <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> 8*7f2fe78bSCy Schubert 9*7f2fe78bSCy Schubert <title>Retiring DES — MIT Kerberos Documentation</title> 10*7f2fe78bSCy Schubert <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> 11*7f2fe78bSCy Schubert <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> 12*7f2fe78bSCy Schubert <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> 13*7f2fe78bSCy Schubert <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> 14*7f2fe78bSCy Schubert <script src="../../_static/jquery.js"></script> 15*7f2fe78bSCy Schubert <script src="../../_static/underscore.js"></script> 16*7f2fe78bSCy Schubert <script src="../../_static/doctools.js"></script> 17*7f2fe78bSCy Schubert <link rel="author" title="About these documents" href="../../about.html" /> 18*7f2fe78bSCy Schubert <link rel="index" title="Index" href="../../genindex.html" /> 19*7f2fe78bSCy Schubert <link rel="search" title="Search" href="../../search.html" /> 20*7f2fe78bSCy Schubert <link rel="copyright" title="Copyright" href="../../copyright.html" /> 21*7f2fe78bSCy Schubert <link rel="next" title="Various links" href="../various_envs.html" /> 22*7f2fe78bSCy Schubert <link rel="prev" title="Advanced topics" href="index.html" /> 23*7f2fe78bSCy Schubert </head><body> 24*7f2fe78bSCy Schubert <div class="header-wrapper"> 25*7f2fe78bSCy Schubert <div class="header"> 26*7f2fe78bSCy Schubert 27*7f2fe78bSCy Schubert 28*7f2fe78bSCy Schubert <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> 29*7f2fe78bSCy Schubert 30*7f2fe78bSCy Schubert <div class="rel"> 31*7f2fe78bSCy Schubert 32*7f2fe78bSCy Schubert <a href="../../index.html" title="Full Table of Contents" 33*7f2fe78bSCy Schubert accesskey="C">Contents</a> | 34*7f2fe78bSCy Schubert <a href="index.html" title="Advanced topics" 35*7f2fe78bSCy Schubert accesskey="P">previous</a> | 36*7f2fe78bSCy Schubert <a href="../various_envs.html" title="Various links" 37*7f2fe78bSCy Schubert accesskey="N">next</a> | 38*7f2fe78bSCy Schubert <a href="../../genindex.html" title="General Index" 39*7f2fe78bSCy Schubert accesskey="I">index</a> | 40*7f2fe78bSCy Schubert <a href="../../search.html" title="Enter search criteria" 41*7f2fe78bSCy Schubert accesskey="S">Search</a> | 42*7f2fe78bSCy Schubert <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Retiring DES">feedback</a> 43*7f2fe78bSCy Schubert </div> 44*7f2fe78bSCy Schubert </div> 45*7f2fe78bSCy Schubert </div> 46*7f2fe78bSCy Schubert 47*7f2fe78bSCy Schubert <div class="content-wrapper"> 48*7f2fe78bSCy Schubert <div class="content"> 49*7f2fe78bSCy Schubert <div class="document"> 50*7f2fe78bSCy Schubert 51*7f2fe78bSCy Schubert <div class="documentwrapper"> 52*7f2fe78bSCy Schubert <div class="bodywrapper"> 53*7f2fe78bSCy Schubert <div class="body" role="main"> 54*7f2fe78bSCy Schubert 55*7f2fe78bSCy Schubert <section id="retiring-des"> 56*7f2fe78bSCy Schubert<span id="id1"></span><h1>Retiring DES<a class="headerlink" href="#retiring-des" title="Permalink to this headline">¶</a></h1> 57*7f2fe78bSCy Schubert<p>Version 5 of the Kerberos protocol was originally implemented using 58*7f2fe78bSCy Schubertthe Data Encryption Standard (DES) as a block cipher for encryption. 59*7f2fe78bSCy SchubertWhile it was considered secure at the time, advancements in computational 60*7f2fe78bSCy Schubertability have rendered DES vulnerable to brute force attacks on its 56-bit 61*7f2fe78bSCy Schubertkeyspace. As such, it is now considered insecure and should not be 62*7f2fe78bSCy Schubertused (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6649.html"><strong>RFC 6649</strong></a>).</p> 63*7f2fe78bSCy Schubert<section id="history"> 64*7f2fe78bSCy Schubert<h2>History<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2> 65*7f2fe78bSCy Schubert<p>DES was used in the original Kerberos implementation, and was the 66*7f2fe78bSCy Schubertonly cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was 67*7f2fe78bSCy Schubertadded in version 1.1, with full support following in version 1.2. 68*7f2fe78bSCy SchubertThe Advanced Encryption Standard (AES), which supersedes DES, gained 69*7f2fe78bSCy Schubertpartial support in version 1.3.0 of krb5 and full support in version 1.3.2. 70*7f2fe78bSCy SchubertHowever, deployments of krb5 using Kerberos databases created with older 71*7f2fe78bSCy Schubertversions of krb5 will not necessarily start using strong crypto for 72*7f2fe78bSCy Schubertordinary operation without administrator intervention.</p> 73*7f2fe78bSCy Schubert<p>MIT krb5 began flagging deprecated encryption types with release 1.17, 74*7f2fe78bSCy Schubertand removed DES (single-DES) support in release 1.18. As a 75*7f2fe78bSCy Schubertconsequence, a release prior to 1.18 is required to perform these 76*7f2fe78bSCy Schubertmigrations.</p> 77*7f2fe78bSCy Schubert</section> 78*7f2fe78bSCy Schubert<section id="types-of-keys"> 79*7f2fe78bSCy Schubert<h2>Types of keys<a class="headerlink" href="#types-of-keys" title="Permalink to this headline">¶</a></h2> 80*7f2fe78bSCy Schubert<ul class="simple"> 81*7f2fe78bSCy Schubert<li><p>The database master key: This key is not exposed to user requests, 82*7f2fe78bSCy Schubertbut is used to encrypt other key material stored in the kerberos 83*7f2fe78bSCy Schubertdatabase. The database master key is currently stored as <code class="docutils literal notranslate"><span class="pre">K/M</span></code> 84*7f2fe78bSCy Schubertby default.</p></li> 85*7f2fe78bSCy Schubert<li><p>Password-derived keys: User principals frequently have keys 86*7f2fe78bSCy Schubertderived from a password. When a new password is set, the KDC 87*7f2fe78bSCy Schubertuses various string2key functions to generate keys in the database 88*7f2fe78bSCy Schubertfor that principal.</p></li> 89*7f2fe78bSCy Schubert<li><p>Keytab keys: Application server principals generally use random 90*7f2fe78bSCy Schubertkeys which are not derived from a password. When the database 91*7f2fe78bSCy Schubertentry is created, the KDC generates random keys of various enctypes 92*7f2fe78bSCy Schubertto enter in the database, which are conveyed to the application server 93*7f2fe78bSCy Schubertand stored in a keytab.</p></li> 94*7f2fe78bSCy Schubert<li><p>Session keys: These are short-term keys generated by the KDC while 95*7f2fe78bSCy Schubertprocessing client requests, with an enctype selected by the KDC.</p></li> 96*7f2fe78bSCy Schubert</ul> 97*7f2fe78bSCy Schubert<p>For details on the various enctypes and how enctypes are selected by the KDC 98*7f2fe78bSCy Schubertfor session keys and client/server long-term keys, see <a class="reference internal" href="../enctypes.html#enctypes"><span class="std std-ref">Encryption types</span></a>. 99*7f2fe78bSCy SchubertWhen using the <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> interface to generate new long-term keys, 100*7f2fe78bSCy Schubertthe <strong>-e</strong> argument can be used to force a particular set of enctypes, 101*7f2fe78bSCy Schubertoverriding the KDC default values.</p> 102*7f2fe78bSCy Schubert<div class="admonition note"> 103*7f2fe78bSCy Schubert<p class="admonition-title">Note</p> 104*7f2fe78bSCy Schubert<p>When the KDC is selecting a session key, it has no knowledge about the 105*7f2fe78bSCy Schubertkerberos installation on the server which will receive the service ticket, 106*7f2fe78bSCy Schubertonly what keys are in the database for the service principal. 107*7f2fe78bSCy SchubertIn order to allow uninterrupted operation to 108*7f2fe78bSCy Schubertclients while migrating away from DES, care must be taken to ensure that 109*7f2fe78bSCy Schubertkerberos installations on application server machines are configured to 110*7f2fe78bSCy Schubertsupport newer encryption types before keys of those new encryption types 111*7f2fe78bSCy Schubertare created in the Kerberos database for those server principals.</p> 112*7f2fe78bSCy Schubert</div> 113*7f2fe78bSCy Schubert</section> 114*7f2fe78bSCy Schubert<section id="upgrade-procedure"> 115*7f2fe78bSCy Schubert<h2>Upgrade procedure<a class="headerlink" href="#upgrade-procedure" title="Permalink to this headline">¶</a></h2> 116*7f2fe78bSCy Schubert<p>This procedure assumes that the KDC software has already been upgraded 117*7f2fe78bSCy Schubertto a modern version of krb5 that supports non-DES keys, so that the 118*7f2fe78bSCy Schubertonly remaining task is to update the actual keys used to service requests. 119*7f2fe78bSCy SchubertThe realm used for demonstrating this procedure, ZONE.MIT.EDU, 120*7f2fe78bSCy Schubertis an example of the worst-case scenario, where all keys in the realm 121*7f2fe78bSCy Schubertare DES. The realm was initially created with a very old version of krb5, 122*7f2fe78bSCy Schubertand <strong>supported_enctypes</strong> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> was set to a value 123*7f2fe78bSCy Schubertappropriate when the KDC was installed, but was not updated as the KDC 124*7f2fe78bSCy Schubertwas upgraded:</p> 125*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> 126*7f2fe78bSCy Schubert <span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> 127*7f2fe78bSCy Schubert <span class="p">[</span><span class="o">...</span><span class="p">]</span> 128*7f2fe78bSCy Schubert <span class="n">master_key_type</span> <span class="o">=</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> 129*7f2fe78bSCy Schubert <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> <span class="n">des</span><span class="p">:</span><span class="n">normal</span> <span class="n">des</span><span class="p">:</span><span class="n">v4</span> <span class="n">des</span><span class="p">:</span><span class="n">norealm</span> <span class="n">des</span><span class="p">:</span><span class="n">onlyrealm</span> <span class="n">des</span><span class="p">:</span><span class="n">afs3</span> 130*7f2fe78bSCy Schubert <span class="p">}</span> 131*7f2fe78bSCy Schubert</pre></div> 132*7f2fe78bSCy Schubert</div> 133*7f2fe78bSCy Schubert<p>This resulted in the keys for all principals in the realm being forced 134*7f2fe78bSCy Schubertto DES-only, unless specifically requested using <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</p> 135*7f2fe78bSCy Schubert<p>Before starting the upgrade, all KDCs were running krb5 1.11, 136*7f2fe78bSCy Schubertand the database entries for some “high-value” principals were:</p> 137*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'</span> 138*7f2fe78bSCy Schubert<span class="p">[</span><span class="o">...</span><span class="p">]</span> 139*7f2fe78bSCy Schubert<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> 140*7f2fe78bSCy Schubert<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">v4</span> 141*7f2fe78bSCy Schubert<span class="p">[</span><span class="o">...</span><span class="p">]</span> 142*7f2fe78bSCy Schubert<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin'</span> 143*7f2fe78bSCy Schubert<span class="p">[</span><span class="o">...</span><span class="p">]</span> 144*7f2fe78bSCy Schubert<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> 145*7f2fe78bSCy Schubert<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">15</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> 146*7f2fe78bSCy Schubert<span class="p">[</span><span class="o">...</span><span class="p">]</span> 147*7f2fe78bSCy Schubert<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw'</span> 148*7f2fe78bSCy Schubert<span class="p">[</span><span class="o">...</span><span class="p">]</span> 149*7f2fe78bSCy Schubert<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> 150*7f2fe78bSCy Schubert<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">14</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> 151*7f2fe78bSCy Schubert<span class="p">[</span><span class="o">...</span><span class="p">]</span> 152*7f2fe78bSCy Schubert</pre></div> 153*7f2fe78bSCy Schubert</div> 154*7f2fe78bSCy Schubert<p>The <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code> key appears to have never been changed since creation 155*7f2fe78bSCy Schubert(its kvno is 1), and all three database entries have only a des-cbc-crc key.</p> 156*7f2fe78bSCy Schubert<section id="the-krbtgt-key-and-kdc-keys"> 157*7f2fe78bSCy Schubert<h3>The krbtgt key and KDC keys<a class="headerlink" href="#the-krbtgt-key-and-kdc-keys" title="Permalink to this headline">¶</a></h3> 158*7f2fe78bSCy Schubert<p>Perhaps the biggest single-step improvement in the security of the cell 159*7f2fe78bSCy Schubertis gained by strengthening the key of the ticket-granting service principal, 160*7f2fe78bSCy Schubert<code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code>—if this principal’s key is compromised, so is the 161*7f2fe78bSCy Schubertentire realm. Since the server that will handle service tickets 162*7f2fe78bSCy Schubertfor this principal is the KDC itself, it is easy to guarantee that it 163*7f2fe78bSCy Schubertwill be configured to support any encryption types which might be 164*7f2fe78bSCy Schubertselected. However, the default KDC behavior when creating new keys is to 165*7f2fe78bSCy Schubertremove the old keys, which would invalidate all existing tickets issued 166*7f2fe78bSCy Schubertagainst that principal, rendering the TGTs cached by clients useless. 167*7f2fe78bSCy SchubertInstead, a new key can be created with the old key retained, so that 168*7f2fe78bSCy Schubertexisting tickets will still function until their scheduled expiry 169*7f2fe78bSCy Schubert(see <a class="reference internal" href="../database.html#changing-krbtgt-key"><span class="std std-ref">Changing the krbtgt key</span></a>).</p> 170*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># enctypes=aes256-cts-hmac-sha1-96:normal,\</span> 171*7f2fe78bSCy Schubert<span class="o">></span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> 172*7f2fe78bSCy Schubert<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \</span> 173*7f2fe78bSCy Schubert<span class="o">></span> <span class="o">-</span><span class="n">keepold</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="s2">"</span> 174*7f2fe78bSCy Schubert<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> 175*7f2fe78bSCy Schubert<span class="n">Key</span> <span class="k">for</span> <span class="s2">"krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> 176*7f2fe78bSCy Schubert</pre></div> 177*7f2fe78bSCy Schubert</div> 178*7f2fe78bSCy Schubert<div class="admonition note"> 179*7f2fe78bSCy Schubert<p class="admonition-title">Note</p> 180*7f2fe78bSCy Schubert<p>The new <code class="docutils literal notranslate"><span class="pre">krbtgt@REALM</span></code> key should be propagated to replica KDCs 181*7f2fe78bSCy Schubertimmediately so that TGTs issued by the primary KDC can be used to 182*7f2fe78bSCy Schubertissue service tickets on replica KDCs. Replica KDCs will refuse 183*7f2fe78bSCy Schubertrequests using the new TGT kvno until the new krbtgt entry has 184*7f2fe78bSCy Schubertbeen propagated to them.</p> 185*7f2fe78bSCy Schubert</div> 186*7f2fe78bSCy Schubert<p>It is necessary to explicitly specify the enctypes for the new database 187*7f2fe78bSCy Schubertentry, since <strong>supported_enctypes</strong> has not been changed. Leaving 188*7f2fe78bSCy Schubert<strong>supported_enctypes</strong> unchanged makes a potential rollback operation 189*7f2fe78bSCy Schuberteasier, since all new keys of new enctypes are the result of explicit 190*7f2fe78bSCy Schubertadministrator action and can be easily enumerated. 191*7f2fe78bSCy SchubertUpgrading the krbtgt key should have minimal user-visible disruption other 192*7f2fe78bSCy Schubertthan that described in the note above, since only clients which list the 193*7f2fe78bSCy Schubertnew enctypes as supported will use them, per the procedure 194*7f2fe78bSCy Schubertin <a class="reference internal" href="../enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a>. 195*7f2fe78bSCy SchubertOnce the krbtgt key is updated, the session and ticket keys for user 196*7f2fe78bSCy SchubertTGTs will be strong keys, but subsequent requests 197*7f2fe78bSCy Schubertfor service tickets will still get DES keys until the service principals 198*7f2fe78bSCy Schuberthave new keys generated. Application service 199*7f2fe78bSCy Schubertremains uninterrupted due to the key-selection procedure on the KDC.</p> 200*7f2fe78bSCy Schubert<p>After the change, the database entry is now:</p> 201*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'</span> 202*7f2fe78bSCy Schubert<span class="p">[</span><span class="o">...</span><span class="p">]</span> 203*7f2fe78bSCy Schubert<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">5</span> 204*7f2fe78bSCy Schubert<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> 205*7f2fe78bSCy Schubert<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> 206*7f2fe78bSCy Schubert<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> 207*7f2fe78bSCy Schubert<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> 208*7f2fe78bSCy Schubert<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">v4</span> 209*7f2fe78bSCy Schubert<span class="p">[</span><span class="o">...</span><span class="p">]</span> 210*7f2fe78bSCy Schubert</pre></div> 211*7f2fe78bSCy Schubert</div> 212*7f2fe78bSCy Schubert<p>Since the expected disruptions from rekeying the krbtgt principal are 213*7f2fe78bSCy Schubertminor, after a short testing period, it is 214*7f2fe78bSCy Schubertappropriate to rekey the other high-value principals, <code class="docutils literal notranslate"><span class="pre">kadmin/admin@REALM</span></code> 215*7f2fe78bSCy Schubertand <code class="docutils literal notranslate"><span class="pre">kadmin/changepw@REALM</span></code>. These are the service principals used for 216*7f2fe78bSCy Schubertchanging user passwords and updating application keytabs. The kadmin 217*7f2fe78bSCy Schubertand password-changing services are regular kerberized services, so the 218*7f2fe78bSCy Schubertsession-key-selection algorithm described in <a class="reference internal" href="../enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a> 219*7f2fe78bSCy Schubertapplies. It is particularly important to have strong session keys for 220*7f2fe78bSCy Schubertthese services, since user passwords and new long-term keys are conveyed 221*7f2fe78bSCy Schubertover the encrypted channel.</p> 222*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># enctypes=aes256-cts-hmac-sha1-96:normal,\</span> 223*7f2fe78bSCy Schubert<span class="o">></span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> 224*7f2fe78bSCy Schubert<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \</span> 225*7f2fe78bSCy Schubert<span class="o">></span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span><span class="s2">"</span> 226*7f2fe78bSCy Schubert<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> 227*7f2fe78bSCy Schubert<span class="n">Key</span> <span class="k">for</span> <span class="s2">"kadmin/admin@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> 228*7f2fe78bSCy Schubert<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \</span> 229*7f2fe78bSCy Schubert<span class="o">></span> <span class="n">kadmin</span><span class="o">/</span><span class="n">changepw</span><span class="s2">"</span> 230*7f2fe78bSCy Schubert<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> 231*7f2fe78bSCy Schubert<span class="n">Key</span> <span class="k">for</span> <span class="s2">"kadmin/changepw@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> 232*7f2fe78bSCy Schubert</pre></div> 233*7f2fe78bSCy Schubert</div> 234*7f2fe78bSCy Schubert<p>It is not necessary to retain a single-DES key for these services, since 235*7f2fe78bSCy Schubertpassword changes are not part of normal daily workflow, and disruption 236*7f2fe78bSCy Schubertfrom a client failure is likely to be minimal. Furthermore, if a kerberos 237*7f2fe78bSCy Schubertclient experiences failure changing a user password or keytab key, 238*7f2fe78bSCy Schubertthis indicates that that client will become inoperative once services 239*7f2fe78bSCy Schubertare rekeyed to non-DES enctypes. Such problems can be detected early 240*7f2fe78bSCy Schubertat this stage, giving more time for corrective action.</p> 241*7f2fe78bSCy Schubert</section> 242*7f2fe78bSCy Schubert<section id="adding-strong-keys-to-application-servers"> 243*7f2fe78bSCy Schubert<h3>Adding strong keys to application servers<a class="headerlink" href="#adding-strong-keys-to-application-servers" title="Permalink to this headline">¶</a></h3> 244*7f2fe78bSCy Schubert<p>Before switching the default enctypes for new keys over to strong enctypes, 245*7f2fe78bSCy Schubertit may be desired to test upgrading a handful of services with the 246*7f2fe78bSCy Schubertnew configuration before flipping the switch for the defaults. This 247*7f2fe78bSCy Schubertstill requires using the <strong>-e</strong> argument in <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> to get non-default 248*7f2fe78bSCy Schubertenctypes:</p> 249*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># enctypes=aes256-cts-hmac-sha1-96:normal,\</span> 250*7f2fe78bSCy Schubert<span class="o">></span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span><span class="p">,</span><span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> 251*7f2fe78bSCy Schubert<span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \</span> 252*7f2fe78bSCy Schubert<span class="o">></span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> <span class="o">-</span><span class="n">q</span> <span class="s2">"ktadd -e $</span><span class="si">{enctypes}</span><span class="s2"> </span><span class="se">\</span> 253*7f2fe78bSCy Schubert<span class="s2">> -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU"</span> 254*7f2fe78bSCy Schubert<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 255*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 256*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 257*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 258*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 259*7f2fe78bSCy Schubert</pre></div> 260*7f2fe78bSCy Schubert</div> 261*7f2fe78bSCy Schubert<p>Be sure to remove the old keys from the application keytab, per best 262*7f2fe78bSCy Schubertpractice.</p> 263*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># k5srvutil -f /etc/zephyr/krb5.keytab delold</span> 264*7f2fe78bSCy Schubert<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 265*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">zephyr</span><span class="o">/</span><span class="n">zephyr</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">zephyr</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 266*7f2fe78bSCy Schubert</pre></div> 267*7f2fe78bSCy Schubert</div> 268*7f2fe78bSCy Schubert</section> 269*7f2fe78bSCy Schubert<section id="adding-strong-keys-by-default"> 270*7f2fe78bSCy Schubert<h3>Adding strong keys by default<a class="headerlink" href="#adding-strong-keys-by-default" title="Permalink to this headline">¶</a></h3> 271*7f2fe78bSCy Schubert<p>Once the high-visibility services have been rekeyed, it is probably 272*7f2fe78bSCy Schubertappropriate to change <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to generate keys with the new 273*7f2fe78bSCy Schubertencryption types by default. This enables server administrators to generate 274*7f2fe78bSCy Schubertnew enctypes with the <strong>change</strong> subcommand of <a class="reference internal" href="../admin_commands/k5srvutil.html#k5srvutil-1"><span class="std std-ref">k5srvutil</span></a>, 275*7f2fe78bSCy Schubertand causes user password 276*7f2fe78bSCy Schubertchanges to add new encryption types for their entries. It will probably 277*7f2fe78bSCy Schubertbe necessary to implement administrative controls to cause all user 278*7f2fe78bSCy Schubertprincipal keys to be updated in a reasonable period of time, whether 279*7f2fe78bSCy Schubertby forcing password changes or a password synchronization service that 280*7f2fe78bSCy Schuberthas access to the current password and can add the new keys.</p> 281*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> 282*7f2fe78bSCy Schubert <span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> 283*7f2fe78bSCy Schubert <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> <span class="n">des</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">crc</span><span class="p">:</span><span class="n">normal</span> 284*7f2fe78bSCy Schubert</pre></div> 285*7f2fe78bSCy Schubert</div> 286*7f2fe78bSCy Schubert<div class="admonition note"> 287*7f2fe78bSCy Schubert<p class="admonition-title">Note</p> 288*7f2fe78bSCy Schubert<p>The krb5kdc process must be restarted for these changes to take effect.</p> 289*7f2fe78bSCy Schubert</div> 290*7f2fe78bSCy Schubert<p>At this point, all service administrators can update their services and the 291*7f2fe78bSCy Schubertservers behind them to take advantage of strong cryptography. 292*7f2fe78bSCy SchubertIf necessary, the server’s krb5 installation should be configured and/or 293*7f2fe78bSCy Schubertupgraded to a version supporting non-DES keys. See <a class="reference internal" href="../enctypes.html#enctypes"><span class="std std-ref">Encryption types</span></a> for 294*7f2fe78bSCy Schubertkrb5 version and configuration settings. 295*7f2fe78bSCy SchubertOnly when the service is configured to accept non-DES keys should 296*7f2fe78bSCy Schubertthe key version number be incremented and new keys generated 297*7f2fe78bSCy Schubert(<code class="docutils literal notranslate"><span class="pre">k5srvutil</span> <span class="pre">change</span> <span class="pre">&&</span> <span class="pre">k5srvutil</span> <span class="pre">delold</span></code>).</p> 298*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">root</span><span class="nd">@dr</span><span class="o">-</span><span class="n">willy</span><span class="p">:</span><span class="o">~</span><span class="c1"># k5srvutil change</span> 299*7f2fe78bSCy Schubert<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 300*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">AES</span><span class="o">-</span><span class="mi">256</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 301*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">AES</span><span class="o">-</span><span class="mi">128</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 302*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">Triple</span> <span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">HMAC</span><span class="o">/</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 303*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">CRC</span><span class="o">-</span><span class="mi">32</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 304*7f2fe78bSCy Schubert<span class="n">root</span><span class="nd">@dr</span><span class="o">-</span><span class="n">willy</span><span class="p">:</span><span class="o">~</span><span class="c1"># klist -e -k -t /etc/krb5.keytab</span> 305*7f2fe78bSCy Schubert<span class="n">Keytab</span> <span class="n">name</span><span class="p">:</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> 306*7f2fe78bSCy Schubert<span class="n">KVNO</span> <span class="n">Timestamp</span> <span class="n">Principal</span> 307*7f2fe78bSCy Schubert<span class="o">----</span> <span class="o">-----------------</span> <span class="o">--------------------------------------------------------</span> 308*7f2fe78bSCy Schubert <span class="mi">2</span> <span class="mi">10</span><span class="o">/</span><span class="mi">10</span><span class="o">/</span><span class="mi">12</span> <span class="mi">17</span><span class="p">:</span><span class="mi">03</span><span class="p">:</span><span class="mi">59</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">CRC</span><span class="o">-</span><span class="mi">32</span><span class="p">)</span> 309*7f2fe78bSCy Schubert <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">AES</span><span class="o">-</span><span class="mi">256</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span><span class="p">)</span> 310*7f2fe78bSCy Schubert <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">AES</span><span class="o">-</span><span class="mi">128</span> <span class="n">CTS</span> <span class="n">mode</span> <span class="k">with</span> <span class="mi">96</span><span class="o">-</span><span class="n">bit</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span> <span class="n">HMAC</span><span class="p">)</span> 311*7f2fe78bSCy Schubert <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">Triple</span> <span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">HMAC</span><span class="o">/</span><span class="n">sha1</span><span class="p">)</span> 312*7f2fe78bSCy Schubert <span class="mi">3</span> <span class="mi">12</span><span class="o">/</span><span class="mi">12</span><span class="o">/</span><span class="mi">12</span> <span class="mi">15</span><span class="p">:</span><span class="mi">31</span><span class="p">:</span><span class="mi">19</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="p">(</span><span class="n">DES</span> <span class="n">cbc</span> <span class="n">mode</span> <span class="k">with</span> <span class="n">CRC</span><span class="o">-</span><span class="mi">32</span><span class="p">)</span> 313*7f2fe78bSCy Schubert<span class="n">root</span><span class="nd">@dr</span><span class="o">-</span><span class="n">willy</span><span class="p">:</span><span class="o">~</span><span class="c1"># k5srvutil delold</span> 314*7f2fe78bSCy Schubert<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">keytab</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 315*7f2fe78bSCy Schubert<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">dr</span><span class="o">-</span><span class="n">willy</span><span class="o">.</span><span class="n">xvm</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 316*7f2fe78bSCy Schubert</pre></div> 317*7f2fe78bSCy Schubert</div> 318*7f2fe78bSCy Schubert<p>When a single service principal is shared by multiple backend servers in 319*7f2fe78bSCy Schuberta load-balanced environment, it may be necessary to schedule downtime 320*7f2fe78bSCy Schubertor adjust the population in the load-balanced pool in order to propagate 321*7f2fe78bSCy Schubertthe updated keytab to all hosts in the pool with minimal service interruption.</p> 322*7f2fe78bSCy Schubert</section> 323*7f2fe78bSCy Schubert<section id="removing-des-keys-from-usage"> 324*7f2fe78bSCy Schubert<h3>Removing DES keys from usage<a class="headerlink" href="#removing-des-keys-from-usage" title="Permalink to this headline">¶</a></h3> 325*7f2fe78bSCy Schubert<p>This situation remains something of a testing or transitory state, 326*7f2fe78bSCy Schubertas new DES keys are still being generated, and will be used if requested 327*7f2fe78bSCy Schubertby a client. To make more progress removing DES from the realm, the KDC 328*7f2fe78bSCy Schubertshould be configured to not generate such keys by default.</p> 329*7f2fe78bSCy Schubert<div class="admonition note"> 330*7f2fe78bSCy Schubert<p class="admonition-title">Note</p> 331*7f2fe78bSCy Schubert<p>An attacker posing as a client can implement a brute force attack against 332*7f2fe78bSCy Schuberta DES key for any principal, if that key is in the current (highest-kvno) 333*7f2fe78bSCy Schubertkey list. This attack is only possible if <strong>allow_weak_crypto = true</strong> 334*7f2fe78bSCy Schubertis enabled on the KDC. Setting the <strong>+requires_preauth</strong> flag on a 335*7f2fe78bSCy Schubertprincipal forces this attack to be an online attack, much slower than 336*7f2fe78bSCy Schubertthe offline attack otherwise available to the attacker. However, setting 337*7f2fe78bSCy Schubertthis flag on a service principal is not always advisable; see the entry in 338*7f2fe78bSCy Schubert<a class="reference internal" href="../admin_commands/kadmin_local.html#add-principal"><span class="std std-ref">add_principal</span></a> for details.</p> 339*7f2fe78bSCy Schubert</div> 340*7f2fe78bSCy Schubert<p>The following KDC configuration will not generate DES keys by default:</p> 341*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">realms</span><span class="p">]</span> 342*7f2fe78bSCy Schubert <span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">=</span> <span class="p">{</span> 343*7f2fe78bSCy Schubert <span class="n">supported_enctypes</span> <span class="o">=</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> <span class="n">des3</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="p">:</span><span class="n">normal</span> 344*7f2fe78bSCy Schubert</pre></div> 345*7f2fe78bSCy Schubert</div> 346*7f2fe78bSCy Schubert<div class="admonition note"> 347*7f2fe78bSCy Schubert<p class="admonition-title">Note</p> 348*7f2fe78bSCy Schubert<p>As before, the KDC process must be restarted for this change to take 349*7f2fe78bSCy Schuberteffect. It is best practice to update kdc.conf on all KDCs, not just the 350*7f2fe78bSCy Schubertprimary, to avoid unpleasant surprises should the primary fail and a 351*7f2fe78bSCy Schubertreplica need to be promoted.</p> 352*7f2fe78bSCy Schubert</div> 353*7f2fe78bSCy Schubert<p>It is now appropriate to remove the legacy single-DES key from the 354*7f2fe78bSCy Schubert<code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code> entry:</p> 355*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \</span> 356*7f2fe78bSCy Schubert<span class="o">></span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="s2">"</span> 357*7f2fe78bSCy Schubert<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> 358*7f2fe78bSCy Schubert<span class="n">Key</span> <span class="k">for</span> <span class="s2">"krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU"</span> <span class="n">randomized</span><span class="o">.</span> 359*7f2fe78bSCy Schubert</pre></div> 360*7f2fe78bSCy Schubert</div> 361*7f2fe78bSCy Schubert<p>After the maximum ticket lifetime has passed, the old database entry 362*7f2fe78bSCy Schubertshould be removed.</p> 363*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">root</span><span class="nd">@casio</span> <span class="n">krb5kdc</span><span class="p">]</span><span class="c1"># kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU'</span> 364*7f2fe78bSCy Schubert<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@ZONE</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span> 365*7f2fe78bSCy Schubert<span class="n">Old</span> <span class="n">keys</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU"</span> <span class="n">purged</span><span class="o">.</span> 366*7f2fe78bSCy Schubert</pre></div> 367*7f2fe78bSCy Schubert</div> 368*7f2fe78bSCy Schubert<p>After the KDC is restarted with the new <strong>supported_enctypes</strong>, 369*7f2fe78bSCy Schubertall user password changes and application keytab updates will not 370*7f2fe78bSCy Schubertgenerate DES keys by default.</p> 371*7f2fe78bSCy Schubert<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU 372*7f2fe78bSCy SchubertPassword for zonetest@ZONE.MIT.EDU: [enter old password] 373*7f2fe78bSCy SchubertEnter new password: [enter new password] 374*7f2fe78bSCy SchubertEnter it again: [enter new password] 375*7f2fe78bSCy SchubertPassword changed. 376*7f2fe78bSCy Schubertcontents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest' 377*7f2fe78bSCy Schubert[...] 378*7f2fe78bSCy SchubertNumber of keys: 3 379*7f2fe78bSCy SchubertKey: vno 9, aes256-cts-hmac-sha1-96 380*7f2fe78bSCy SchubertKey: vno 9, aes128-cts-hmac-sha1-96 381*7f2fe78bSCy SchubertKey: vno 9, des3-cbc-sha1 382*7f2fe78bSCy Schubert[...] 383*7f2fe78bSCy Schubert 384*7f2fe78bSCy Schubert[kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \ 385*7f2fe78bSCy Schubert> -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU' 386*7f2fe78bSCy SchubertAuthenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab. 387*7f2fe78bSCy SchubertEntry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. 388*7f2fe78bSCy SchubertEntry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. 389*7f2fe78bSCy SchubertEntry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab. 390*7f2fe78bSCy Schubert</pre></div> 391*7f2fe78bSCy Schubert</div> 392*7f2fe78bSCy Schubert<p>Once all principals have been re-keyed, DES support can be disabled on the 393*7f2fe78bSCy SchubertKDC (<strong>allow_weak_crypto = false</strong>), and client machines can remove 394*7f2fe78bSCy Schubert<strong>allow_weak_crypto = true</strong> from their <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> configuration 395*7f2fe78bSCy Schubertfiles, completing the migration. <strong>allow_weak_crypto</strong> takes precedence over 396*7f2fe78bSCy Schubertall places where DES enctypes could be explicitly configured. DES keys will 397*7f2fe78bSCy Schubertnot be used, even if they are present, when <strong>allow_weak_crypto = false</strong>.</p> 398*7f2fe78bSCy Schubert</section> 399*7f2fe78bSCy Schubert<section id="support-for-legacy-services"> 400*7f2fe78bSCy Schubert<h3>Support for legacy services<a class="headerlink" href="#support-for-legacy-services" title="Permalink to this headline">¶</a></h3> 401*7f2fe78bSCy Schubert<p>If there remain legacy services which do not support non-DES enctypes 402*7f2fe78bSCy Schubert(such as older versions of AFS), <strong>allow_weak_crypto</strong> must remain 403*7f2fe78bSCy Schubertenabled on the KDC. Client machines need not have this setting, 404*7f2fe78bSCy Schubertthough—applications which require DES can use API calls to allow 405*7f2fe78bSCy Schubertweak crypto on a per-request basis, overriding the system krb5.conf. 406*7f2fe78bSCy SchubertHowever, having <strong>allow_weak_crypto</strong> set on the KDC means that any 407*7f2fe78bSCy Schubertprincipals which have a DES key in the database could still use those 408*7f2fe78bSCy Schubertkeys. To minimize the use of DES in the realm and restrict it to just 409*7f2fe78bSCy Schubertlegacy services which require DES, it is necessary to remove all other 410*7f2fe78bSCy SchubertDES keys. The realm has been configured such that at password and 411*7f2fe78bSCy Schubertkeytab change, no DES keys will be generated by default. The task 412*7f2fe78bSCy Schubertthen reduces to requiring user password changes and having server 413*7f2fe78bSCy Schubertadministrators update their service keytabs. Administrative outreach 414*7f2fe78bSCy Schubertwill be necessary, and if the desire to eliminate DES is sufficiently 415*7f2fe78bSCy Schubertstrong, the KDC administrators may choose to randkey any principals 416*7f2fe78bSCy Schubertwhich have not been rekeyed after some timeout period, forcing the 417*7f2fe78bSCy Schubertuser to contact the helpdesk for access.</p> 418*7f2fe78bSCy Schubert</section> 419*7f2fe78bSCy Schubert</section> 420*7f2fe78bSCy Schubert<section id="the-database-master-key"> 421*7f2fe78bSCy Schubert<h2>The Database Master Key<a class="headerlink" href="#the-database-master-key" title="Permalink to this headline">¶</a></h2> 422*7f2fe78bSCy Schubert<p>This procedure does not alter <code class="docutils literal notranslate"><span class="pre">K/M@REALM</span></code>, the key used to encrypt key 423*7f2fe78bSCy Schubertmaterial in the Kerberos database. (This is the key stored in the stash file 424*7f2fe78bSCy Schuberton the KDC if stash files are used.) However, the security risk of 425*7f2fe78bSCy Schuberta single-DES key for <code class="docutils literal notranslate"><span class="pre">K/M</span></code> is minimal, given that access to material 426*7f2fe78bSCy Schubertencrypted in <code class="docutils literal notranslate"><span class="pre">K/M</span></code> (the Kerberos database) is generally tightly controlled. 427*7f2fe78bSCy SchubertIf an attacker can gain access to the encrypted database, they likely 428*7f2fe78bSCy Schuberthave access to the stash file as well, rendering the weak cryptography 429*7f2fe78bSCy Schubertbroken by non-cryptographic means. As such, upgrading <code class="docutils literal notranslate"><span class="pre">K/M</span></code> to a stronger 430*7f2fe78bSCy Schubertencryption type is unlikely to be a high-priority task.</p> 431*7f2fe78bSCy Schubert<p>Is is possible to upgrade the master key used for the database, if 432*7f2fe78bSCy Schubertdesired. Using <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>’s <strong>add_mkey</strong>, <strong>use_mkey</strong>, and 433*7f2fe78bSCy Schubert<strong>update_princ_encryption</strong> commands, a new master key can be added 434*7f2fe78bSCy Schubertand activated for use on new key material, and the existing entries 435*7f2fe78bSCy Schubertconverted to the new master key.</p> 436*7f2fe78bSCy Schubert</section> 437*7f2fe78bSCy Schubert</section> 438*7f2fe78bSCy Schubert 439*7f2fe78bSCy Schubert 440*7f2fe78bSCy Schubert <div class="clearer"></div> 441*7f2fe78bSCy Schubert </div> 442*7f2fe78bSCy Schubert </div> 443*7f2fe78bSCy Schubert </div> 444*7f2fe78bSCy Schubert </div> 445*7f2fe78bSCy Schubert <div class="sidebar"> 446*7f2fe78bSCy Schubert 447*7f2fe78bSCy Schubert <h2>On this page</h2> 448*7f2fe78bSCy Schubert <ul> 449*7f2fe78bSCy Schubert<li><a class="reference internal" href="#">Retiring DES</a><ul> 450*7f2fe78bSCy Schubert<li><a class="reference internal" href="#history">History</a></li> 451*7f2fe78bSCy Schubert<li><a class="reference internal" href="#types-of-keys">Types of keys</a></li> 452*7f2fe78bSCy Schubert<li><a class="reference internal" href="#upgrade-procedure">Upgrade procedure</a><ul> 453*7f2fe78bSCy Schubert<li><a class="reference internal" href="#the-krbtgt-key-and-kdc-keys">The krbtgt key and KDC keys</a></li> 454*7f2fe78bSCy Schubert<li><a class="reference internal" href="#adding-strong-keys-to-application-servers">Adding strong keys to application servers</a></li> 455*7f2fe78bSCy Schubert<li><a class="reference internal" href="#adding-strong-keys-by-default">Adding strong keys by default</a></li> 456*7f2fe78bSCy Schubert<li><a class="reference internal" href="#removing-des-keys-from-usage">Removing DES keys from usage</a></li> 457*7f2fe78bSCy Schubert<li><a class="reference internal" href="#support-for-legacy-services">Support for legacy services</a></li> 458*7f2fe78bSCy Schubert</ul> 459*7f2fe78bSCy Schubert</li> 460*7f2fe78bSCy Schubert<li><a class="reference internal" href="#the-database-master-key">The Database Master Key</a></li> 461*7f2fe78bSCy Schubert</ul> 462*7f2fe78bSCy Schubert</li> 463*7f2fe78bSCy Schubert</ul> 464*7f2fe78bSCy Schubert 465*7f2fe78bSCy Schubert <br/> 466*7f2fe78bSCy Schubert <h2>Table of contents</h2> 467*7f2fe78bSCy Schubert <ul class="current"> 468*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> 469*7f2fe78bSCy Schubert<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> 470*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> 471*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> 472*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> 473*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> 474*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> 475*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> 476*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> 477*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> 478*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> 479*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> 480*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> 481*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> 482*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> 483*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> 484*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> 485*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> 486*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> 487*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> 488*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> 489*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> 490*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> 491*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> 492*7f2fe78bSCy Schubert<li class="toctree-l2 current"><a class="reference internal" href="index.html">Advanced topics</a><ul class="current"> 493*7f2fe78bSCy Schubert<li class="toctree-l3 current"><a class="current reference internal" href="#">Retiring DES</a></li> 494*7f2fe78bSCy Schubert</ul> 495*7f2fe78bSCy Schubert</li> 496*7f2fe78bSCy Schubert<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> 497*7f2fe78bSCy Schubert</ul> 498*7f2fe78bSCy Schubert</li> 499*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> 500*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> 501*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> 502*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> 503*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> 504*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> 505*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> 506*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> 507*7f2fe78bSCy Schubert<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> 508*7f2fe78bSCy Schubert</ul> 509*7f2fe78bSCy Schubert 510*7f2fe78bSCy Schubert <br/> 511*7f2fe78bSCy Schubert <h4><a href="../../index.html">Full Table of Contents</a></h4> 512*7f2fe78bSCy Schubert <h4>Search</h4> 513*7f2fe78bSCy Schubert <form class="search" action="../../search.html" method="get"> 514*7f2fe78bSCy Schubert <input type="text" name="q" size="18" /> 515*7f2fe78bSCy Schubert <input type="submit" value="Go" /> 516*7f2fe78bSCy Schubert <input type="hidden" name="check_keywords" value="yes" /> 517*7f2fe78bSCy Schubert <input type="hidden" name="area" value="default" /> 518*7f2fe78bSCy Schubert </form> 519*7f2fe78bSCy Schubert 520*7f2fe78bSCy Schubert </div> 521*7f2fe78bSCy Schubert <div class="clearer"></div> 522*7f2fe78bSCy Schubert </div> 523*7f2fe78bSCy Schubert </div> 524*7f2fe78bSCy Schubert 525*7f2fe78bSCy Schubert <div class="footer-wrapper"> 526*7f2fe78bSCy Schubert <div class="footer" > 527*7f2fe78bSCy Schubert <div class="right" ><i>Release: 1.21.3</i><br /> 528*7f2fe78bSCy Schubert © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. 529*7f2fe78bSCy Schubert </div> 530*7f2fe78bSCy Schubert <div class="left"> 531*7f2fe78bSCy Schubert 532*7f2fe78bSCy Schubert <a href="../../index.html" title="Full Table of Contents" 533*7f2fe78bSCy Schubert >Contents</a> | 534*7f2fe78bSCy Schubert <a href="index.html" title="Advanced topics" 535*7f2fe78bSCy Schubert >previous</a> | 536*7f2fe78bSCy Schubert <a href="../various_envs.html" title="Various links" 537*7f2fe78bSCy Schubert >next</a> | 538*7f2fe78bSCy Schubert <a href="../../genindex.html" title="General Index" 539*7f2fe78bSCy Schubert >index</a> | 540*7f2fe78bSCy Schubert <a href="../../search.html" title="Enter search criteria" 541*7f2fe78bSCy Schubert >Search</a> | 542*7f2fe78bSCy Schubert <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Retiring DES">feedback</a> 543*7f2fe78bSCy Schubert </div> 544*7f2fe78bSCy Schubert </div> 545*7f2fe78bSCy Schubert </div> 546*7f2fe78bSCy Schubert 547*7f2fe78bSCy Schubert </body> 548*7f2fe78bSCy Schubert</html>