Re: HEAD's UP: possible 0day SSH exploit in the wild
Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):
> Peter Jordan <usernetwork@gmx.info> writes:
>
>> Let the option
>> master_key_type = des3-hmac-sha1
>> as it is?
>
> Yes. The master key isn't used on the network and changing it is very
> difficult in lenny.
But for new installations a change is not a bad idea?
>
>> No change in /etc/krb5.conf required?
>
> Correct. Clients will negotiate the strongest available encryption key
> automatically.
How can i see that the change has worked?
>
>> should i renew all host keys?
>
> Ideally, yes, since that will get them on AES only. If you have any
> existing keys that don't have AES keys, you do need to list fallback
> enctypes as supported until you've rekeyed them or you won't be able to
> authenticate to them.
>
It seems to work without renewing old keys (host/nfs). How can i see
which enctypes the keys have.
btw. if i list the principal for me in kadmin.local there are no values
for Last successful authentication / Last failed authentication and
ailed password attempts although the EQUIRES_PRE_AUTH Attribute is set:
get_principal peter
Principal: peter@EXAMPLE.COM
[...]
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Do you know what is wrong?
thank you very much!
PJ
Reply to: