LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Acceptable kerberos encryption (https://www.linuxquestions.org/questions/linux-security-4/acceptable-kerberos-encryption-852115/)

ryeguy146 12-23-2010 06:58 PM
Acceptable kerberos encryption
 
I am building an active directory and using BIND9 as my DNS. To allow for secure dynamic updates from the domain, I am enabling GSS-TSIG as detailed here and here. Unfortunately, some of the commands and configurations used here seem to be depreciated, at least in the newer versions that I'm using.

My issue is one of keytab encryption. I generated a keytab using ktpass.exe on the Windows Server 2008 domain controller. I have tried DES/MD5, AES128/SHA1 and AES256/SHA1, each have been turned down by ktutil on the kerberos server (FreeBSD). Each time, it outputs the following error:

ktutil: AES256/SHA1*: encryption type AES256/SHA1* not supported

*Respective to encryption used.

I cannot find a list of suitable encryption schemes that ktutil will accept. The FreeBSD handbook details a means of producing a keytab file, but I'm not sure how to configure the Domain Controller to use the keytab.

Any direction you guys can give me?

ryeguy146 12-24-2010 01:37 AM
Firstly, let me say that the manuals available for ktutil that describe its shell-like environment are outdated. ktutil no longer runs as such (at least the newest ports version in FreeBSD). Instead, I used the FreeBSD man pages and found the correct help, though it still didn't specify any encryption schemes that were acceptable.. I used #ktutil add and was asked to specify encryption. At this point, I cross referenced ktpass's help file to discern what encryption schemes it has available. After entering each into ktutil, only one was listed as acceptable, des-cbc-md5, so I made a keytab on the Domain Controller and moved it to the Kerberos server and ktutil accepted it. #ktutil list did indeed list the keyfile. Later, I noticed that the previously linked page's suggested configuration did indeed list the proper encryption scheme as des-cbc-md5, though offered depreciated commands.

RTFM@me.

I suppose I'm on my way to secure dynamic update across my domain. Thanks anyway everyone. I'm sure that my cross platform adventures will bring be back shortly with more problems to mull over.


All times are GMT -5. The time now is 06:39 PM.