X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/blobdiff_plain/3d902d6a694154051bf3de13936bd937afda4ea6..c8a95950b6fd313df0c8c44fdc79a03fe79fee62:/doc/kerberized-server.mdwn diff --git a/doc/kerberized-server.mdwn b/doc/kerberized-server.mdwn index 96d0767..9530759 100644 --- a/doc/kerberized-server.mdwn +++ b/doc/kerberized-server.mdwn @@ -8,7 +8,7 @@ which sends them an e-mail. Your new keytab will be in `/mit/accounts/srvtabs/FOR_YOURUSERNAME`, which is AFS and vaguely insecure. You probably want to install it in `/etc/krb5.keytab`, -and then set a new (random) key. +and then **set a new (random) key**. # mv -f /etc/krb5.keytab /etc/krb5.keytab.old # back up any keytab you already have # mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab @@ -35,3 +35,24 @@ matches; that is to say, an Athena user whose username matches a local username can log in to that local account. (One option to avoid this is to create a `.k5login` file in `/etc/skel` so that new accounts you later add get this file by default.) + +## Upgrading cryptographic strength + +You may wish to change the encryption algorithms (*enctypes*) included in your keytab. With server principals (like `daemon/servername.mit.edu` or `host/servername.mit.edu`) it is particularly important to support *only* strong algorithms. If you support a weak algorithm, an attacker can request a service ticket encrypted with that key, allowing them to do an offline attack and potentially extract your secret key. + +To change the supported enctypes, run `kadmin`: + + kadmin -p daemon/kronborg.mit.edu -k -t daemon.kronborg.keytab + +From within `kadmin`, to create new keys: + + ktadd -k daemon.kronborg.keytab -e aes256-cts:normal -e aes128-cts:normal daemon/kronborg.mit.edu + +After all tickets currently issued against your service expire (which will happen after at most one day), you should remove the old keys from your keytab. If there are no outstanding tickets, you can do this from within `kadmin`: + + ktremove -k daemon.kronborg.keytab daemon/kronborg.mit.edu old + +Before exiting, you may wish to verify in a separate terminal that the correct updated key has been written to the keytab: + + kinit -k -t daemon.kronborg.keytab daemon/kronborg.mit.edu + kvno daemon/kronborg.mit.edu@ATHENA.MIT.EDU