Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

MSDOS is not dead, it just smells that way. -- Henry Spencer

devel / comp.protocols.kerberos / Re: Kerberos Digest, Vol 225, Issue 1

SubjectAuthor
o Re: Kerberos Digest, Vol 225, Issue 1Hanuman Ram Huda

1
Re: Kerberos Digest, Vol 225, Issue 1

<mailman.2.1633278139.17806.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=153&group=comp.protocols.kerberos#153

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: hanumanr...@gmail.com (Hanuman Ram Huda)
Newsgroups: comp.protocols.kerberos
Subject: Re: Kerberos Digest, Vol 225, Issue 1
Date: Sun, 3 Oct 2021 21:52:09 +0530
Organization: TNet Consulting
Lines: 120
Message-ID: <mailman.2.1633278139.17806.kerberos@mit.edu>
References: <mailman.175.1633276846.3890.kerberos@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="2324"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=S9WBi4wlH4DZyZPxLfGRK67RRzKWojvuKgZ6tw11NFwO6pir9+OCr42kmO4LVakUv5okRL1PzM/SmWTwLbcSpNxbAaYixqSR8YffM5mdFNJ9UKEuMwiJLWcjFW8DGC++rp8ejs0muldPp55kpuPczEbzx5CwLUbwsEyAeaAld2MFdRTdZmOz7TKIh+leJbIxO5gk8KIpt3vpdFThBKf/fK2D2A/cKgL+jh2C5gvP2pcQKOSfigEywcv3qAbjui1zAXaVXcqbOsM402X2i7ADfKd7zdwWdyI1tm+3knT/N2Z5nr0eT6rjBEMGBE87VPyLLQY8qq8aT0wmhL0yh2NuAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=/skTAe8vsCE94fkzp3vKQAhaaGKU+lzlcFwIzGOeZOk=;
b=ka8sOsGwaE5wDvAM2DR+CpbCVsm4+fGN/xMjQsbumJOUhkfdXYL32N6a1GGmlFP93NPjJzBXiWX7nqz1C9SEITLkkzi5qtKlfSg0pCT9IID6ysvOWnnjUNp+xD1lPuWl8CqSRdT+c51At/x0u3Onkuu28dfQzwTZycV4f+MzwabFlrg8EUQiOZXDlYUFEThFcXj1LoKqX/7SIx7iZEzByk8O7v6iqM3GcM3+Fj4YbcprxCoXDae8VNfAFrdjoFWLLzcEzCxjmOasVDTKf1k1xHNAtbr4bw3k5BTHu6tYoAV+icVTYdcSdCcVqsL7fHwBCLZ9AZy0+zwuGF+5Nb6Uhw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=/skTAe8vsCE94fkzp3vKQAhaaGKU+lzlcFwIzGOeZOk=;
b=rIiq5GIZ8s/i3RmphKKuxffJy87tdxHsHPtTW5CWp/KwtLV1lcs4PcTeAMoRzGiEMo08bBKaAAzAJ7rYYa0pNYG/5Xm4V2iIpvg6GnJaDSvJnu9mg4lzd6EsgkJxxlzb0BeZn1hftPGm98YMg0Td94RFb4xMuWvqlz//xUIFH2k=
Authentication-Results: spf=pass (sender IP is 209.85.128.53)
smtp.mailfrom=gmail.com; mit.edu; dkim=pass (signature was verified)
header.d=gmail.com; mit.edu;
dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.128.53 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.128.53; helo=mail-wm1-f53.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=/skTAe8vsCE94fkzp3vKQAhaaGKU+lzlcFwIzGOeZOk=;
b=kjrikMy7kGgbAkvOqmtPv6PwkmX+pAc1uV3RkTXxU7p1I3prQtB85OZzAf/le+oTvo
LPwQbdEeM/RMNbhIojpIl2Oei6xacu9gk/p9olHcJvw8igfEEZa+zoSZPg8Mkhu64qdf
5IKsuOVcHVGhrJ61Fath9Pa4g3sGYnfOud7qF8n9IC5wLkxBbaJEXTZjrpmGpIUqCVjd
Ewr2BET6n6ZCxRBeUaRPR/pVQKuc1NKavrwfI/V1JA8uhUNzYD6qbF8kF6IKyzvaCDbC
YQzZTuaY+ZVoEn/HZuiUcofocEm+1pW/RtvlDD1tbJpU6b86sCyk+dkyzcFrqxmtYt2q
V8BA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=/skTAe8vsCE94fkzp3vKQAhaaGKU+lzlcFwIzGOeZOk=;
b=D7DFPwwsfAQ8yd+cY7KQgHWk8OdvLhcEOei3+bjBzSXIpMGkQDl4/RR2LivwKPhtgo
80y44J9/xZTUF5/qEWMhG/0Z1jeuBI23DcLFmhfin7DmYG9OBY+8FUi7V2JDbnVXntfH
UKMyY9xepHVAb0NWz64tzcGgbn/bW4QgYBZVn6vsC0rou4BZXtSGjP+P5CiYuXkfsbro
gObciOvSy28S50Vh8wn4MzYaaahmvd3toxVPeEqE/HLuwOy6gSPFNyOBSi8pRKnLgBnP
o8sKM++dUGz0Cl1uls3oqI97DK+uddDfljv9/BLVeqo05S17KZ6k9G7e/J3HbGPMnFI1
Z3gQ==
X-Gm-Message-State: AOAM530+eOta62TAwgb9cCKnZtQHaxEqAII+bJ6I47zpBLJ4IZqZVO9q
uDhr4aFQRg6tn+if3NF986QRFYtxek0RQ0YaktxZxTFw
X-Google-Smtp-Source: ABdhPJyWq9OM3BLZ3EGU4/5yCTbJebjZcHH/TxfUM0/t8otILkbTFVozZnF/JP8/D97eh4u9gf67lMk+DPPeYq5Tb0o=
X-Received: by 2002:a1c:7d44:: with SMTP id y65mr14354856wmc.181.1633278133892;
Sun, 03 Oct 2021 09:22:13 -0700 (PDT)
In-Reply-To: <mailman.175.1633276846.3890.kerberos@mit.edu>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 838ee23e-d6fa-48fe-fc58-08d98689f655
X-MS-TrafficTypeDiagnostic: DM8PR01MB6968:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <DM8PR01MB69683F79C07158E1755B1DC1C2AD9@DM8PR01MB6968.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Th2MtoLyb9gpl5kGdwFl8XsSce2Q/A3lgwNXr383dWqt2DsmDaipGR9JpENBHSp+yZfCp9muj/Dwi/87pXfCxkqaU2vZQhIqWqps/cRHgKd+mxa5+ZPqEQBXE18vr75ZEZ5TZtBDC5B1YEWQ6TcW/0LMkr6Vc1apzqz5HJziJUMx8oNTE3uSRPOp/zJ4Hk+LIXnxVwH9gKrVIF9shcYSBmW4V3thzvPWaQqaunXD4b60YqOsUvLvH/gBEiQEcb2GE49lwFHo/6NKHiBrRQFy4CQkxtGpJsw0Pey13SAetcfO7jL7HrVguFO8bR+rGY0vu0viHpF1pYqpFaRGds8hiFrnhGzUfcUi8ou/0JfIUmmDmj0L3/2r8iZtOeistIAvOkPr67GrabiWRYjZHkc3NZy/zJUtDXx4nUBmpnOq9BMWH5TzOccP1p4jW65+NkixyNDwzk7pnLTBhFs/LP1gMXO8+G8cU0G999FA61bcGgS9YIGcEQf8szm/BHwYN9lhCwMt1J+Knalgz9mXub9RUU09CtpyOFprG4q+lEV8eWDE+dg33wrpsUDO24CA4NZuWQZAwXwSz0TYB6UwtG1wpvbrXA063qt6OpGjp8saM26FCmx5XfvkeuNxxn/XSssSUyYR35W1YyoTLJ9KtVyyPBW8vDoMvkR5JYk6XTPrkw4XaDoubUDuDlrBkPoLHUB/U6vIYP4ZD1l9JnKGkUfXiXjKDK9vUZaWLyfu60NYDjI=
X-Forefront-Antispam-Report: CIP:209.85.128.53; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-wm1-f53.google.com;
PTR:mail-wm1-f53.google.com; CAT:NONE;
SFS:(4636009)(86362001)(76482006)(166002)(53546011)(966005)(26005)(34206002)(82202003)(33964004)(55446002)(68406010)(70586007)(7596003)(5660300002)(7636003)(356005)(8676002)(45080400002)(6666004)(316002)(42186006)(2906002)(508600001)(786003)(336012)(73392003)(83380400001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Oct 2021 16:22:15.1087 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 838ee23e-d6fa-48fe-fc58-08d98689f655
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT049.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB6968
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.6
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Hanuman Ram Huda - Sun, 3 Oct 2021 16:22 UTC

you should be able to create new master key with new encryption then
migrate principal DB with new master key then you should use updated
principal DB, updated master and add new line for master key encryption.

On Sun, Oct 3, 2021 at 9:33 PM <kerberos-request@mit.edu> wrote:

> Send Kerberos mailing list submissions to
> kerberos@mit.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.mit.edu/mailman/listinfo/kerberos
> or, via email, send a message with subject or body 'help' to
> kerberos-request@mit.edu
>
> You can reach the person managing the list at
> kerberos-owner@mit.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Kerberos digest..."
>
>
> Today's Topics:
>
> 1. master key type in kdc.conf (Dan Mahoney (Gushi))
> 2. supported enctypes: what is the net effect of removing 3des?
> (Dan Mahoney (Gushi))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 3 Oct 2021 00:36:23 -0700 (PDT)
> From: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
> Subject: master key type in kdc.conf
> To: kerberos@mit.edu
> Message-ID: <7dedcb59-f09e-54ed-a0ce-5b5aac3357d@prime.gushi.org>
> Content-Type: text/plain; format=flowed; charset=US-ASCII
>
> Hey all,
>
> We're in the process of rolling our mkey to get off 3des, and we found
> that someone in the before-times has put this line in our kdc.conf:
>
> master_key_type = des3-hmac-sha1
>
> Obviously, that's not going to be the master key type of the new key, and
> of course, I think when this command came out, there was no "use mkey"
> format, so this was perhaps a primitive rollover method?
>
> Would things break if I just took this line out? Or would the kdc fail to
> start because a K/M of the default enctype isn't present yet?
>
> Does it make sense to remove this line before rollover or after?
> (This might be worth a mention in the docs).
>
> -Dan
>
> --
>
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> FB: fb.com/DanielMahoneyIV
> LI: linkedin.com/in/gushi
> Site: http://www.gushi.org
> ---------------------------
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 3 Oct 2021 02:34:32 -0700 (PDT)
> From: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
> Subject: supported enctypes: what is the net effect of removing 3des?
> To: kerberos@mit.edu
> Message-ID: <bb892711-eafc-c111-20a2-f18ecfb23d3e@prime.gushi.org>
> Content-Type: text/plain; format=flowed; charset=US-ASCII
>
> Hey there. My org is moving off 3des.
>
> My reading of "supported_enctypes" is simply that it will stop kadmin/the
> KDC from generating NEW keys of an older type, correct? That if I do a
> cpw without -keepold, those keys will be removed -- but otherwise, the KDC
> will not act as though a user with 3des-only keys doesn't exist.
>
> Changing it should not break any authentication or tickets? Or will the
> kdc then refuse to issue TGT's that use that type at all? (It seems like
> that would be affected by the similarly named permitted_enctypes, tho).
>
> -Dan
>
> --
>
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> FB: fb.com/DanielMahoneyIV
> LI: linkedin.com/in/gushi
> Site: http://www.gushi.org
> ---------------------------
>
>
>
> ------------------------------
>
> _______________________________________________
> Kerberos mailing list
> Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> End of Kerberos Digest, Vol 225, Issue 1
> ****************************************
>

--
*Thanks & Regards*
*Hanuman Huda*

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor