[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HEAD's UP: possible 0day SSH exploit in the wild

Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
> Peter Jordan <usernetwork@gmx.info> writes:
>> Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
> 
>>> Ensuring that you use AES enctypes for all keys (disable DES and
>>> ideally also 3DES)
> 
>> How?
> 
> In /etc/krb5kdc/kdc.conf, set the supported_enctypes configuration
> option for your realm to:
> 
>     supported_enctypes = aes256-cts:normal
> 
> Note that you'll also need to enable rc4-hmac:normal if you need to do
> cross-realm trust with Active Directory, and you'll need to enable
> des3-hmac-sha1:normal if you have any Java 1.4 clients.
> 
> However, if you also have AFS, which I recall that you do, you can't
> turn it off at that level.  You have to leave DES as a supported enctype
> since the AFS service key at present still has to be DES (although we're
> working on that).  In that case, you have to deal with it at creation
> time for each principal.  In other words, when you do addprinc or ktadd
> for everything other than the AFS service key, pass the -e
> "aes256-cts:normal" option to the command to force the enctypes to be
> restricted to 256-bit AES.
> 


Let the option
	master_key_type = des3-hmac-sha1
as it is?

No change in /etc/krb5.conf required?

should i renew all host keys?

PJ
Reply to: