Quero evitar cifras velhas e fracas no meu Solaris kdc, usando apenas AES. Editei o kdc.conf
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
essas são linhas para krb5.conf
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
Reinicie o kdc e o kadmin e...
kadmin -p kws/admin -wmypassword
Authenticating as principal kws/admin with password.
kadmin:
addprinc NFS/[email protected]
ktadd -k nfs.keytab -e aes256-cts-hmac-sha1-96 NFS/[email protected]
ktadd: Invalid argument while parsing keysalts aes256-cts-hmac-sha1-96
Tentando o padrão..
ktadd -k nfs.keytab NFS/[email protected]
Entry for principal NFS/[email protected] with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:nfs.keytab.
Entry for principal NFS/[email protected] with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:nfs.keytab.
Entry for principal NFS/[email protected] with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:nfs.keytab.
Entry for principal NFS/[email protected] with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:nfs.keytab.
Entry for principal NFS/[email protected] with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:nfs.keytab.
Por que gerar as chaves des? É possível forçar a cifra AES em vez disso?
EDIT: Encontrei uma maneira de criar apenas aes256keys
ktadd -e aes256-cts:normal -k nfs.keytab NFS/[email protected]
A questão ainda é encontrar uma maneira de forçar/gerar apenas chaves aes256.
Esperando por uma solução melhor, uso esta solução alternativa criando chaves