On the Cryptography mailing list (http://www.metzdowd.com/pipermail/cryptography/2018-May/034150.html) a question came up, regarding Kerberos' ability to replace passwords in a secure way. As John Gilmore pointed out, Kerberos on Ubuntu uses the outdated sha-1 hash, so I tried to find out what Fedora does instead. What I found confuses me. In the directory /etc/krb5.conf.d you'll find a file named "crypto-policies" (which is a link actually) with the following content: [libdefaults] permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac I thought that the entries under permitted_enctypes would limit the cipher-suite that would be acceptable by my brand-new F28 installation. So I deleted everything except the two cipher-suites I want to allow and changed the content of this file to: [libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 The result (after a fresh reboot) was that authentication to FEDORAPROJECT.ORG shows that still the sha1 ciphersuite is being used. The same applies to my old F26 installation. $ klist -e Ticketzwischenspeicher: KEYRING:persistent:1000:1000 Standard-Principal: senderek@xxxxxxxxxxxxxxxxx Valid starting Expires Service principal 10.05.2018 11:28:27 11.05.2018 11:25:08 HTTP/id.fedoraproject.org@xxxxxxxxxxxxxxxxx erneuern bis 17.05.2018 11:25:08, Etype (Skey, TKT): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 10.05.2018 11:28:27 11.05.2018 11:25:08 HTTP/id.fedoraproject.org@ erneuern bis 17.05.2018 11:25:08, Etype (Skey, TKT): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 10.05.2018 11:25:14 11.05.2018 11:25:08 krbtgt/FEDORAPROJECT.ORG@xxxxxxxxxxxxxxxxx erneuern bis 17.05.2018 11:25:08, Etype (Skey, TKT): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 Does anyone here know why the Kerberos crypto-policy does not do what it's supposed to do? Ralf _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
