I'm confused...
I have a Kerberos KDC that apparently used to be able
to create AES256 keys, but now for some unknown reason
has stopped supporting it - and I can't figure out why
and where!?
Setup:
Solaris 10 5/08, fully patched with all the latest patches
KDC is running in a zone on a Sun Netra X1:
AES256 is available:
# cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Kernel software providers:
swrand
rsa
md5
sha2
sha1
blowfish448
arcfour2048
aes256
des
Kernel hardware providers:
Defaults are used in krb5.conf and kdc.conf
(ie: no "default_tkt_enctypes" or "default_tgs_enctypes")
If I run "kadmin" in the zone and "addprinc -randkey" a new
host principal I will get one without AES256 support:
kadmin: addprinc -randkey host/pi-bootis.ifm.liu.se
WARNING: no policy specified for host/pi-bootis.ifm.liu.se@IFM.LIU.SE; defaulting to no policy
Principal "host/pi-bootis.ifm.liu.se@IFM.LIU.SE" created.
kadmin: getprinc host/pi-bootis.ifm.liu.se
Principal: host/pi-bootis.ifm.liu.se@IFM.LIU.SE
Expiration date: [never]
Last password change: Thu Aug 28 11:12:00 MEST 2008
Password expiration date: [none]
Maximum ticket life: 24855 days 03:14:07
Maximum renewable life: 24855 days 03:14:07
Last modified: Thu Aug 28 11:12:00 MEST 2008 (peter/admin@IFM.LIU.SE)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, ArcFour with HMAC/md5, no salt
Key: vno 2, DES cbc mode with RSA-MD5, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
_However_ - if I look at some older host principals that was
created before, the apparently I _was_ able to create such:
kadmin: getprinc host/xi-bootis.ifm.liu.se
Principal: host/xi-bootis.ifm.liu.se@IFM.LIU.SE
Expiration date: [never]
Last password change: Sun Dec 30 20:54:19 MET 2007
Password expiration date: [none]
Maximum ticket life: 24855 days 03:14:07
Maximum renewable life: 24855 days 03:14:07
Last modified: Sun Dec 30 20:54:19 MET 2007 (keydist/as-master.ifm.liu.se@IFM.LIU.SE)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 7, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 7, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 7, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 7, ArcFour with HMAC/md5, no salt
Key: vno 7, DES cbc mode with RSA-MD5, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
If I now try to use the principals with AES256 keys (ktadd in kadmin)
I will get an error... This is pretty annoying to say the least.
Any suggestions?
(And considering the AES-kernel-problems perhaps I should just globally remove
all AES (both AES256 and AES128) keys from all principals and forget about
this problem...)
- Peter
--
--
Peter Eriksson <peter@ifm.liu.se> Phone: +46 13 28 2786
Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
Physics Department, Link�ping University Room: Building F, F203
|
Search |
Post Question |
Groups |
Stream |
About |
Register
Peter
25710 articles. 
78 followers. 
1 Replies
160 Views
pavankumarads
news61