Re: HEAD's UP: possible 0day SSH exploit in the wild
Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
> Peter Jordan <usernetwork@gmx.info> writes:
>> Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
>
>>> Ensuring that you use AES enctypes for all keys (disable DES and
>>> ideally also 3DES)
>
>> How?
>
> In /etc/krb5kdc/kdc.conf, set the supported_enctypes configuration
> option for your realm to:
>
> supported_enctypes = aes256-cts:normal
>
> Note that you'll also need to enable rc4-hmac:normal if you need to do
> cross-realm trust with Active Directory, and you'll need to enable
> des3-hmac-sha1:normal if you have any Java 1.4 clients.
>
> However, if you also have AFS, which I recall that you do, you can't
> turn it off at that level. You have to leave DES as a supported enctype
> since the AFS service key at present still has to be DES (although we're
> working on that). In that case, you have to deal with it at creation
> time for each principal. In other words, when you do addprinc or ktadd
> for everything other than the AFS service key, pass the -e
> "aes256-cts:normal" option to the command to force the enctypes to be
> restricted to 256-bit AES.
>
Let the option
master_key_type = des3-hmac-sha1
as it is?
No change in /etc/krb5.conf required?
should i renew all host keys?
PJ
Reply to: