If you want kerberized logins on a server you run, you'll need a
*keytab* from accounts. Fill out the
-[keytab request form](http://web.mit.edu/accounts/www/srvtabform.html),
+[keytab request form](https://ist.mit.edu/accounts/keytab),
which sends them an e-mail.
Your new keytab will be in
# k5srvutil change
# k5srvutil delold
-Note that the `k5srvutil` command will also generate keys for the DES and RC4 ciphers, which are considered weak.
+Note that the `k5srvutil` command will also generate keys for the 3DES and RC4 ciphers, which are considered weak.
You are strongly advised to read the "Upgrading cryptographic strength" section below on how to generate only AES keys instead.
If you're using Debathena, you can install the `debathena-ssh-server-config` package to configure Kerberos authentication on the server side. If not, make sure your `/etc/ssh/sshd_config` file includes the lines
## Upgrading cryptographic strength
-You may wish to change the encryption algorithms (*enctypes*) included in your keytab. With server principals (like `daemon/servername.mit.edu` or `host/servername.mit.edu`) it is particularly important to support *only* strong algorithms. If you support a weak algorithm, an attacker can request a service ticket encrypted with that key, allowing them to do an offline attack and potentially extract your secret key.
+You may wish to change the encryption algorithms (*enctypes*) included in your keytab. With server principals (like `daemon/servername.mit.edu` or `host/servername.mit.edu`) it is particularly important to support *only* strong algorithms. If you support a weak algorithm, an attacker can request an initial ticket encrypted with that key, allowing them to do an offline attack and potentially extract the secret key.
To change the supported enctypes, run `kadmin`:
sipb-www / wiki.git / blobdiff