1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Removing deprecated keys

    From Dan Mahoney (Gushi)@21:1/5 to All on Wed Nov 1 01:16:15 2023
    Hey there folks,

    We've recently gone through all the hard work of switching off 3des on our
    kdcs and rolling all the things, but one of the things we note is that
    some of our users still have the keys with the old enctypes present. Is
    there a way to delete just those deprecated keys, without forcing a
    password change?

    Failed password attempts: 0
    Number of keys: 5
    Key: vno 2, aes256-cts-hmac-sha1-96
    Key: vno 2, aes128-cts-hmac-sha1-96
    Key: vno 2, DEPRECATED:des3-cbc-sha1 <-- Yeet?
    Key: vno 2, aes128-cts-hmac-sha256-128
    Key: vno 2, aes256-cts-hmac-sha384-192
    MKey: vno 3
    Attributes: REQUIRES_PRE_AUTH
    Policy: [none]

    -Dan

    --

    --------Dan Mahoney--------
    Techie, Sysadmin, WebGeek
    Gushi on efnet/undernet IRC
    FB: fb.com/DanielMahoneyIV
    LI: linkedin.com/in/gushi
    Site: http://www.gushi.org
    ---------------------------

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Dan Mahoney (Gushi) on Wed Nov 1 02:13:54 2023
    To: kerberos@mit.edu

    On 10/31/23 21:16, Dan Mahoney (Gushi) wrote:
    We've recently gone through all the hard work of switching off 3des on
    our kdcs and rolling all the things, but one of the things we note is
    that some of our users still have the keys with the old enctypes
    present.  Is there a way to delete just those deprecated keys, without forcing a password change?

    I don't believe we have that feature currently; the closest we have is
    the kadmin purgekeys command, but that command (and its associated
    libkadm5 RPC) only removes whole key versions.

    It would be possible to write a C program using libkdb5 to crawl the
    database and remove the desired keys; I can't think of any simpler
    approach. I believe common practice is just to force password changes,
    or wait until password maximum lifetimes force changes over time.

    If you're at the point of not relying on any des3-cbc-sha1 keys, you can
    set a permitted_enctypes in [libdefaults] on the KDC that does not
    include it (a value of "DEFAULT -des3" should work). Then the KDC will
    ignore those keys while continuing to allow the other ones to be used.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)