Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Real Users are afraid they'll break the machine -- but they're never afraid to break your face.


devel / comp.protocols.kerberos / Re: Removing deprecated keys

SubjectAuthor
o Re: Removing deprecated keysGreg Hudson

1
Re: Removing deprecated keys

<mailman.43.1698819243.2263420.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=420&group=comp.protocols.kerberos#420

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghud...@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: Re: Removing deprecated keys
Date: Wed, 1 Nov 2023 02:13:54 -0400
Organization: TNet Consulting
Lines: 20
Message-ID: <mailman.43.1698819243.2263420.kerberos@mit.edu>
References: <7e384a59-8a34-3305-f46f-30ea18942b5d@prime.gushi.org>
<a6438895-e809-4685-9130-f8f3c4952bd7@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="19343"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
To: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>, <kerberos@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu; dkim=pass (2048-bit key,
unprotected) header.d=mit.edu header.i=@mit.edu header.a=rsa-sha256
header.s=outgoing header.b=RVaQ7I4Z
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1698819242; bh=CEKzGn2S59H8tMhsiki2ibOG1qzvEpucfVMklh9LV0E=;
h=Message-ID:Date:MIME-Version:Subject:From:Content-Type;
b=RVaQ7I4ZfIlKshipKHHlNfnRxn4P0/I5Uh1xrWSRq7cM9MO2oaJcplsEMspBw+504
ZsepiJnJ083gajUgGupbatDH/YulT/XN6XQr7n6moBSMT3t5WqCfN+dAfjGpFfrZLh
Uj0iFWd6bypT60y3QmZcPxiSW9J5KsfF5V6yB2V254MgDdAfv1ZmS0I7LHG8l+V2O2
1k9T8IkergyOzvXX9Sv8aEbiZ+yDoDsVeTJmImX9aj8KLmItuzS1hP1ZB9qId3Z2Ga
b8zsBleh3bFWenLp5v3CThRcSdkDzTX/jtNiFUYRYb3xoHhpmO2cDEgw5AceyDwZ3r
EmAlsFmKN7TKQ==
Authentication-Results: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
Content-Language: en-US
In-Reply-To: <7e384a59-8a34-3305-f46f-30ea18942b5d@prime.gushi.org>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000ECD9:EE_|BY3PR01MB6564:EE_
X-MS-Office365-Filtering-Correlation-Id: 21bfca8d-274a-40a6-d738-08dbdaa1bbc3
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: J4Qj793JgKiwtXzPekbmgW5R8R81RuRravVEhCO9Q2KdSUmpUC4kO6rke+0ZBY9RG/B/4XQjl5QFtqzxB+RbQwOFthcYT3vGVYelwXr6X9m4sCzuAJj6E3j6ZJdE6Wy/A7jrF33ovaV8xr4UlP6qrvoN5x9WlnLFQXitQzuNNh9ghN9RzNYFfjy87T/z/uTAJGEixYxCTJJxoRzhMygpIYdsoYqj3v0nWOOySSMZfJuJkxB/akNXgaxCdbU9OlV6W6Qs+y62nYFi4pXEuXg8Ha2ZQHvpwQSByawzg346FsYljiXfNRq+Mq1STbabnEqkvor4nNq1N+zeFt26lUrDal7hmYkWYYyyvOgQE3gYBuhVj//4c/5/KJE0oxtV4enCy6w3lGfTW8jgU5RlAL7sYbzmW48sihjrEJMceezp5WqhVnecq1BWsI6mFAsuLZRiPZCAzSn3R6v7YHWMGQU0qTS7TfOnEka6wS+H6ItKK11k2KpG9vJsA86tzCHIJGHEqo1bM7qW6gcgdSUiZRKb19Jh0vM8rIySeQYSVtupi5ZkqnANcDXuq3FAq64Yglb+AjOy4VEWzcPqFcJ7vZzMU0NoY8A3nfDs7lJIZZFKMPN12SWEBFv6x+r924pOxzDsR3MsU1qcc5FfXNWI4bHxBglwzwpJ2aAzDs5BD4mfx6hNV2zFBnBMssH4GRbd27X2AUTIF9lMKaLjA9kBz/i2To/+uqKB9+ug794Iy0UdXoaEzoJDdfmNHE3/07kA5PkTA6MMIjkZb5bUr3TxIcY7+g==
X-Forefront-Antispam-Report: CIP:18.9.28.11; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:outgoing.mit.edu; PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230031)(4636009)(346002)(39860400002)(396003)(376002)(136003)(451199024)(1800799009)(64100799003)(53546011)(7696005)(336012)(83380400001)(68406010)(70586007)(31686004)(2616005)(3480700007)(6706004)(426003)(956004)(478600001)(356005)(6636002)(26005)(786003)(316002)(7116003)(5660300002)(86362001)(36756003)(8676002)(2906002)(31696002)(75432002)(43740500002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Nov 2023 06:13:57.5633 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 21bfca8d-274a-40a6-d738-08dbdaa1bbc3
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000ECD9.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR01MB6564
X-OriginatorOrg: mit.edu
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <a6438895-e809-4685-9130-f8f3c4952bd7@mit.edu>
X-Mailman-Original-References: <7e384a59-8a34-3305-f46f-30ea18942b5d@prime.gushi.org>
 by: Greg Hudson - Wed, 1 Nov 2023 06:13 UTC

On 10/31/23 21:16, Dan Mahoney (Gushi) wrote:
> We've recently gone through all the hard work of switching off 3des on
> our kdcs and rolling all the things, but one of the things we note is
> that some of our users still have the keys with the old enctypes
> present.  Is there a way to delete just those deprecated keys, without
> forcing a password change?

I don't believe we have that feature currently; the closest we have is
the kadmin purgekeys command, but that command (and its associated
libkadm5 RPC) only removes whole key versions.

It would be possible to write a C program using libkdb5 to crawl the
database and remove the desired keys; I can't think of any simpler
approach. I believe common practice is just to force password changes,
or wait until password maximum lifetimes force changes over time.

If you're at the point of not relying on any des3-cbc-sha1 keys, you can
set a permitted_enctypes in [libdefaults] on the KDC that does not
include it (a value of "DEFAULT -des3" should work). Then the KDC will
ignore those keys while continuing to allow the other ones to be used.

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor