[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HEAD's UP: possible 0day SSH exploit in the wild

Peter Jordan <usernetwork@gmx.info> writes:
> Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):

>> Ensuring that you use AES enctypes for all keys (disable DES and
>> ideally also 3DES)

> How?

In /etc/krb5kdc/kdc.conf, set the supported_enctypes configuration
option for your realm to:

    supported_enctypes = aes256-cts:normal

Note that you'll also need to enable rc4-hmac:normal if you need to do
cross-realm trust with Active Directory, and you'll need to enable
des3-hmac-sha1:normal if you have any Java 1.4 clients.

However, if you also have AFS, which I recall that you do, you can't
turn it off at that level.  You have to leave DES as a supported enctype
since the AFS service key at present still has to be DES (although we're
working on that).  In that case, you have to deal with it at creation
time for each principal.  In other words, when you do addprinc or ktadd
for everything other than the AFS service key, pass the -e
"aes256-cts:normal" option to the command to force the enctypes to be
restricted to 256-bit AES.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: