Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

You are an insult to my intelligence! I demand that you log off immediately.


devel / comp.protocols.kerberos / Removing deprecated keys

SubjectAuthor
o Removing deprecated keysDan Mahoney (Gushi)

1
Removing deprecated keys

<mailman.42.1698801391.2263420.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=419&group=comp.protocols.kerberos#419

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: dan...@prime.gushi.org (Dan Mahoney (Gushi))
Newsgroups: comp.protocols.kerberos
Subject: Removing deprecated keys
Date: Wed, 1 Nov 2023 01:16:15 +0000 (UTC)
Organization: TNet Consulting
Lines: 31
Message-ID: <mailman.42.1698801391.2263420.kerberos@mit.edu>
References: <7e384a59-8a34-3305-f46f-30ea18942b5d@prime.gushi.org>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="30670"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=rFOECULC;
dkim=pass (2048-bit key,
unprotected) header.d=gushi.org header.i=@gushi.org header.a=rsa-sha256
header.s=prime2014 header.b=uovBlWDZ
Authentication-Results: mit.edu; dmarc=pass (p=none dis=none)
header.from=prime.gushi.org
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698801388; cv=pass;
b=wiRpYpRkHUEmtFfcncHSTjukY54tIfnHFAW76iMv5LhvlwFd3uERrcqVsRphuJlwbmorXrHqcr3Gl4IXv/k2s2mLuT3ZPHY6oSfhsQXufgFFfCtIhvnxUWbvLy8Z8foeGcO5W6Yw/LqvrRg2G4Ud1FlJ4Z/YY+to8fMONXVOOVm/a0gtuffe1jYt3oNGAXbAqkuj2BF5ES3S8zeJY5f53oryh/Is+TEtyO8WMKRRCyAvNbNG4ekQhM4T1sp2lAtuoUZTOpWTId3D2MHbrXiNTuRSlPbl1WBP53l6RIP3PT74RMnk4SMLwiqGKU1J4XZx9LPGRVL1XxWuT69/+1ELmw==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698801388;
c=relaxed/relaxed; bh=9boRXeobB9+jHMBqrj31IsGYW+WfupNez3/Ih9HNsHA=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=HSTNMAI1GlZ364pGVh50vDJYzPGU+ezWKVrBA2OoBLajv/nnlQBocn4ibQZxzcsVA1PIBScNZDfpvVQ7RbNzoKkjGfrNi6WAoQMXzU/+cKfihQaSvN1TCdfUGRyTDlVapGU1aoZoGeOh9ds7WJ6NFODUeYKF45g6dtktkxjShniP7Y+HYnGRL7zgNdEeCRgoWHA7SEmyr4+Bpk1X1E2eqOt16lLbl53wiPZ4FgZt9kCDUHj9gAZNDNNu0k8PL03Wka6flClwI4Cmevm7ogj6zy+0n2dCbUhyB137Vn6synKN3qRsjLlWFpoE0eONaZA21dix5qxs/0nOPLeiVqyOeg==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=rFOECULC;
dkim=pass (2048-bit key;
unprotected) header.d=gushi.org header.i=@gushi.org header.a=rsa-sha256
header.s=prime2014 header.b=uovBlWDZ
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=rFOECULC;
dkim=pass (2048-bit key;
unprotected) header.d=gushi.org header.i=@gushi.org header.a=rsa-sha256
header.s=prime2014 header.b=uovBlWDZ
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=FGPIshpNVXOji+qWz1K3XrLpzQGhk8itobuU+EB+cIfguq4PJdtA8nVBO6SquqOS7XDV1tRbGfPVWXxvBoYIs+l9u0tLoczg5x9xJ2Kqx7fJNlE7Qhl9YDH7sO3lkgE8CDzwo9141IxqW8h3Q/QuA6rtTITSfUkg3HpfJnla4/XJpmICA6XF9eeXE/spP20vBQpeaPflqcwKec5GvVw/lSpDoEJtJaWvOpPiYtAAOH9PrYK/oHeTUdQBJVxWjMaD2DY8AXZrZKwDPm32D57sitI4rjeysAou+LM6esWs9kX2RLgjseERdkbytvOqxRUP/WqVsRE+DBHyjo8JhojHAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=9boRXeobB9+jHMBqrj31IsGYW+WfupNez3/Ih9HNsHA=;
b=hxoetHSP0oNGAuwGlvlwaTIraFr5wNiMbD/YI3vkm+RzypyXwvu2HSFmqVAekSEaFxm7nMPbQy6UmqqR85l394MVLv13jfNyGY182xp8v5Y//fWrabyoG8WEC925E6JrQySVPORl75Tm9F/bx2c8uwNgrTbd0QRf+mUg9FwAsw+u2d8tc3Ox1N7Nnep2gZudVpO62JugSQUPn6WgLNhX0JpTmbMRj/aQO6Thg69Um/eNnS00opVTVHwg8cttdthL5f1cYMIY3pFioc8cXbV/h5cph6aAu8KRF8IIZ+0MLuogY9FghCnT8ZLNdmXQFsNvcxKLghRF3Fwz9UUCVvdYVw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
149.20.68.142) smtp.rcpttodomain=mit.edu smtp.mailfrom=prime.gushi.org;
dmarc=pass (p=none sp=none pct=100) action=none header.from=prime.gushi.org;
dkim=pass (signature was verified) header.d=gushi.org; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=9boRXeobB9+jHMBqrj31IsGYW+WfupNez3/Ih9HNsHA=;
b=rFOECULCXBiHRhMDueLaVFColAQw8h8+p707FIWPBXUiP6jCkUYTig2JjnV63TWGkXnD6UEVaiMmbZ+DOggckUz2M//nttA3rQMR5aTI0zwAccW4ZAPGkbf89/FoVE6bbRxPObY3d378FIMUjyvEh/SrmYViily810khMqw1ROQ=
Authentication-Results: spf=pass (sender IP is 149.20.68.142)
smtp.mailfrom=prime.gushi.org; dkim=pass (signature was verified)
header.d=gushi.org;dmarc=pass action=none header.from=prime.gushi.org;
Received-SPF: Pass (protection.outlook.com: domain of prime.gushi.org
designates 149.20.68.142 as permitted sender)
receiver=protection.outlook.com; client-ip=149.20.68.142;
helo=prime.gushi.org; pr=C
DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org 3A11GG61011277
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org;
s=prime2014; t=1698801376;
bh=9boRXeobB9+jHMBqrj31IsGYW+WfupNez3/Ih9HNsHA=;
h=Date:From:To:Subject;
z=Date:=20Wed,=201=20Nov=202023=2001:16:15=20+0000=20(UTC)|From:=20
"Dan=20Mahoney=20(Gushi)"=20<danm@prime.gushi.org>|To:=20kerberos@
mit.edu|Subject:=20Removing=20deprecated=20keys;
b=uovBlWDZN3y1wO86jBmkXnwsMcn7+n4FBu7DYm0gYl15VqQV0/Ph5O4zNL6zp3IcY
5lkPFTq496aUgrebwMLZUq8iYDqHjrdhtgpJi0pXNwF3+66j6Tl8J01bGp+0HUzHka
vp+PBxQSa7JDbVQgtsN2B2iGrgLlQbSZZ4CptHwTDIUwEZ1g5ceOi2N6xxIdwh6t6O
3NJ8MUtOaAFzfbdVI7xxLRfgVMlT2ZKxyC1Tl/Phv1B4n/8rl7t/54FJ6wAts365jO
OMjRb+Yq+rSajaxV83/Ow2b4DPkV7Zw/Y/UQEthmFQ+PIU4kr3DA5TLNu/VWX4tJaU
/HGjuFYX9FhXw==
X-OpenPGP-Key-ID: 0x624BB249
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4
(prime.gushi.org [0.0.0.0]); Wed, 01 Nov 2023 01:16:16 +0000 (UTC)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS3PEPF000099DD:EE_|MW6PR01MB8577:EE_
X-MS-Office365-Filtering-Correlation-Id: 8ce945d5-533f-4a4f-fef0-08dbda78268d
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: TQYc1unTOojKQODXVNKoGN7iIjb+NIGnlSWjtpkPrivtFr2LDzrC9IM18jDCgfgJjNtNjDSBPz4AEWq3etKy5EwXdBXe7QSfB7+7rzq2U12j+spqxfV5qw23ikaIpbxpXrpyzukj7RtVSXYDQAJmdC9HrrwyqJi/tEoU4RFMzGmg+Egz/2dW9WwGAFafJbTI2hUk5k4NPIc4WXfk6MlechA5Nziz6D1krr7dhpCoSy3aBtjdwHxikmGAR4sFDazzkO0wwp1D+5rvHAsBwDgDoRkeXJAGjbQUCJgbXLUo1i20eQiKzzDwC76hVMkFVx+76eI0zacMgYkrNy2qfqCV1iZP3juTlf/TQ/OInHnP6EIgAYQ57aRb8MVAclhTIkRwVt3pTDHeRBoocEJjn85oCXDZgvwK0pbsG73EXZIDwNDkN7SVvmhwDCYOIwjXNJjpH9+JWxXgl4kg1qy08cgcV7n58SBYpEH5pVbkh6P3K+iJ97iOF9QvOWABxrRzhob3MtApC2tcTe5SSG5HzPnEpf1WrSwgNk4fFbpQmPinLXGm6+T1Nqzg8oMxBLUV62QXBIpHHukihiroY6zvySV2gUeb2mIz1JQm2NageExlmm16pomhLd9hfXVYziOjgMDXsteo31HrUzqARB54IOKlUXIli/3GNEmuzyed9e9Blpri9a/VbNWwizs60GoEEeku
X-Forefront-Antispam-Report: CIP:149.20.68.142; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:prime.gushi.org; PTR:prime.gushi.org; CAT:NONE;
SFS:(13230031)(4636009)(136003)(376002)(346002)(396003)(39860400002)(61400799006)(64100799003)(451199024)(48200799006)(26005)(42186006)(786003)(316002)(68406010)(7116003)(498600001)(34206002)(8676002)(4744005)(84970400001)(70586007)(5660300002)(31686004)(966005)(2906002)(45080400002)(3480700007)(83380400001)(2616005)(336012)(356005)(426003)(7596003)(86362001)(7636003)(31696002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Nov 2023 01:16:17.8796 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8ce945d5-533f-4a4f-fef0-08dbda78268d
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS3PEPF000099DD.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR01MB8577
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <7e384a59-8a34-3305-f46f-30ea18942b5d@prime.gushi.org>
 by: Dan Mahoney (Gushi) - Wed, 1 Nov 2023 01:16 UTC

Hey there folks,

We've recently gone through all the hard work of switching off 3des on our
kdcs and rolling all the things, but one of the things we note is that
some of our users still have the keys with the old enctypes present. Is
there a way to delete just those deprecated keys, without forcing a
password change?

Failed password attempts: 0
Number of keys: 5
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
Key: vno 2, DEPRECATED:des3-cbc-sha1 <-- Yeet?
Key: vno 2, aes128-cts-hmac-sha256-128
Key: vno 2, aes256-cts-hmac-sha384-192
MKey: vno 3
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

-Dan

--

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor