我想避免在 Solaris kdc 上使用旧的弱密码,只使用 AES。我已编辑 kdc.conf
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
这些是 krb5.conf 的行
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
重新启动 kdc 和 kadmin 然后..
kadmin -p kws/admin -wmypassword
Authenticating as principal kws/admin with password.
kadmin:
addprinc NFS/[email protected]
ktadd -k nfs.keytab -e aes256-cts-hmac-sha1-96 NFS/[email protected]
ktadd: Invalid argument while parsing keysalts aes256-cts-hmac-sha1-96
尝试默认..
ktadd -k nfs.keytab NFS/[email protected]
Entry for principal NFS/[email protected] with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:nfs.keytab.
Entry for principal NFS/[email protected] with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:nfs.keytab.
Entry for principal NFS/[email protected] with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:nfs.keytab.
Entry for principal NFS/[email protected] with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:nfs.keytab.
Entry for principal NFS/[email protected] with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:nfs.keytab.
为什么要生成 des 密钥?是否可以强制使用 AES 密码?
编辑:我找到了一种仅创建 aes256keys 的方法
ktadd -e aes256-cts:normal -k nfs.keytab NFS/[email protected]
问题仍然是找到一种强制/生成仅 aes256 密钥的方法。
等待更好的解决方案我使用这个解决方法创建密钥