I'm having trouble exporting and importing kerberos keys into openafs.
My first problem is that when using `addprinc` and `ktadd` commands in `kadmin.local`, the encryption key type `-e` option appears to be ignored. For example when I try to add a key of type `des-cbc-crc:v4`, a key of type `aes256-cts-hmac-sha1-96` appears to be added instead:
The same happens with addprinc, I try to specify `-e DES-CBC-CRC:md5` for the key type but this appears to be ignored and end up with a `aes128-cts-hmac-sha1-96` key:
Additionally, when I try to import this key using `asetkey`, I get an unreadable error message:
Reading the `asetkey` manpage I see a strong recommendation against using the `des-cbc-crc` key type and using the `rxkad-k5` extension instead:
Reading further, the `KeyFileExt` man page says that trying to add `rxkad-k5` keys requires specifying a `krb5 encryption type number`, which is distinct from a string identifier:
I'm stuck with a lot of related questions:
1. Why does `kadmin` appear to ignore my specified encryption type?
2. How do I determine if my openafs is using the `rxkad-k5` extension? I searched debian packages via `apt-cache search rxkad-k5` and `rxkad` and found nothing.
3. Since `aes256-cts-hmac-sha1-96` looks like a string identifier, how can I determine the "krb5 encryption type number" for this encryption in order to import it via asetkey?
4. I noticed `openafs-krb5` is a separate package from `openafs-{fileserver,dbserver,client}`. Is there a recommended way of managing openafs authentication on debian without setting up kerberos?
5. I found that `akeyconvert` claims to help importing keys `from the krb5 keytab format to the KeyFileExt format`. Should I be using `akeyconvert` to convert my `afs.keytab` key into openafs?
My first problem is that when using `addprinc` and `ktadd` commands in `kadmin.local`, the encryption key type `-e` option appears to be ignored. For example when I try to add a key of type `des-cbc-crc:v4`, a key of type `aes256-cts-hmac-sha1-96` appears to be added instead:
Code:
kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/afs.ktab afsEntry for principal afs with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/afs.ktab.Entry for principal afs with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/afs.ktab.Code:
$ kadmin.localAuthenticating as principal root/admin@EXAMPLE.COM with password.kadmin.local: addprinc -policy service -randkey -e DES-CBC-CRC:md5 afsWARNING: policy "service" does not existPrincipal "afs@EXAMPLE.COM" created.kadmin.local: getprinc afsPrincipal: afs@EXAMPLE.COMExpiration date: [never]Last password change: Mon May 27 18:22:21 EDT 2024Password expiration date: [never]Maximum ticket life: 0 days 10:00:00Maximum renewable life: 7 days 00:00:00Last modified: Mon May 27 18:22:21 EDT 2024 (root/admin@EXAMPLE.COM)Last successful authentication: [never]Last failed authentication: [never]Failed password attempts: 0Number of keys: 2Key: vno 1, aes256-cts-hmac-sha1-96Key: vno 1, aes128-cts-hmac-sha1-96MKey: vno 1Attributes: REQUIRES_PRE_AUTHPolicy: service [does not exist]kadmin.local: Code:
sudo asetkey add 4 /tmp/afs.ktab afsasetkey: unknown RPC error (-1765328203) for keytab entry with Principal afs@EXAMPLE.COM, kvno 4, DES-CBC-CRC/MD5/MD4Code:
A modern AFS cell should be using the rxkad-k5 extension, or risks terribly insecure operation (complete cell compromise for $100 in 1 day). The keys used for rxkad-k5 operation are stored in the KeyFileExt. Cells not using the rxkad-k5 extension (i.e., stock rxkad) use keys of the des-cbc- crc encryption type, which are stored in the KeyFile.Code:
Using asetkey(8) to add rxkad-k5 keys to the KeyFileExt also requires specifying a krb5 encryption type number. Since the encryption type must be specified by its number (not a symbolic or string name), care must be taken to determine the correct encryption type to add.1. Why does `kadmin` appear to ignore my specified encryption type?
2. How do I determine if my openafs is using the `rxkad-k5` extension? I searched debian packages via `apt-cache search rxkad-k5` and `rxkad` and found nothing.
3. Since `aes256-cts-hmac-sha1-96` looks like a string identifier, how can I determine the "krb5 encryption type number" for this encryption in order to import it via asetkey?
4. I noticed `openafs-krb5` is a separate package from `openafs-{fileserver,dbserver,client}`. Is there a recommended way of managing openafs authentication on debian without setting up kerberos?
5. I found that `akeyconvert` claims to help importing keys `from the krb5 keytab format to the KeyFileExt format`. Should I be using `akeyconvert` to convert my `afs.keytab` key into openafs?
Statistics: Posted by ealfonsoy — 2024-05-27 23:21 — Replies 1 — Views 20