KDC: weak crypto in default settings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
krb5 (Debian) |
Fix Released
|
Unknown
|
|||
krb5 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Jammy |
Fix Released
|
Medium
|
Andreas Hasenack | ||
Kinetic |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[ Impact ]
The default crypto algorithm suite selected for the master key in the ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this package will be using an algorithm deprecated since many years ago, and considered broken nowadays for security applications. Furthermore, the KDC will highlight this fact with "deprecated" warnings in the logs and elsewhere. For example:
root@j-
Keytab name: FILE:/etc/
KVNO Principal
---- -------
1 K/M@LXD (DEPRECATED:
And in the kdc logs:
Apr 05 14:20:01 j-kdc-weak-crypto krb5kdc[7323]: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1!
This update removes the specification of an algorithm and leaves it to the upstream default, which is aes256-
Kerberos is quite conservative when it comes to updating encryption algorithms, and one could argue that the default should be something like aes256-
1. https:/
[ Test Plan ]
The test plan will involve two main aspects:
- upgrades must not change the existing encryption type, and won't get a dpkg conf prompt
- fresh installs must use the new crypto algorithm
a) Upgrade does not change algorithm
Start by installing a kdc with the released packages (not from proposed):
# When prompted, accept the defaults
sudo apt install krb5-kdc krb5-admin-server
# Verify that master_key_type is set to the deprecated des3-hmac-sha1 value:
$ sudo grep master_key_type /etc/krb5kdc/
# bootstrap a new realm, type in a password of your choosing (you won't need it again):
$ sudo krb5_newrealm
# Verify the actual encryption used in the stash file and confirm it's the same, and that you get a DEPRECATED warning:
$ sudo klist -ke /etc/krb5kdc/stash
Keytab name: FILE:/etc/
KVNO Principal
---- -------
1 K/M@LXD (DEPRECATED:
# Upgrade to the packages in proposed. Confirm there is no dpkg conf prompt, and repeat the two checks above (the grep, and the klist command). Their output must not have changed, i.e., the system will still be using the deprecated 3des-sha1 algorithm for the master key/stash file.
b) Fresh install of proposed packages
# Perform a fresh install of the packages in proposed. As before, accept the defaults when asked debconf questions:
sudo apt install krb5-kdc krb5-admin-server
# Verify that the master_key_type is now commented ("#" in front) and no longer shows the deprecated "3des-hmac-sha1" value, but instead shows "aes256-cts":
$ sudo grep master_key_type /etc/krb5kdc/
# bootstrap a new realm, type in a password of your choosing (you won't need it again):
$ sudo krb5_newrealm
# Verify the actual encryption used in the stash file, and confirm it's no longer "des3-cbc-sha1", but instead "aes256-
$ sudo klist -ke /etc/krb5kdc/stash
Keytab name: FILE:/etc/
KVNO Principal
---- -------
1 K/M@LXD (aes256-
[ Where problems could occur ]
The crypto that is being changed for new fresh installations affects the /etc/krb5kdc/stash file[2], and the K/M@REALM principal key (which are the same: it's called the master key). This is the key that encrypts the database.
For deployments with a primary KDC and a secondary KDC (replication), the stash file has to be copied to the secondary so that it can decrypt the replicated database. If that secondary has no support for the crypto algorithm that was chosen for the stash file (for example, it could be an older KDC version that only supports 3des-sha1, and not aes256), then it won't be able to decrypt it, and thus won't be able to read the database.
2. https:/
[ Other Info ]
The master_key_type setting does not affect the crypto algorithms that are used for tickets and the like. Even with the deprecated 3des setting, the tickets obtained by users will be typically using aes256. The master_key_type only affects the crypto algorithm used to protect the stash file.
Changing the existing stash file to use another encryption method is very involved and requires several steps. It's documented upstream: https:/
Even if someone changes the kdc.conf file and updates the master_key_type encryption in there without changing the actual stash file, it won't break. The KDC is still able to read the file and decrypt it, even though the encryption type of the file no longer matches the configuration.
[ Original Description ]
Default setting in /etc/krb5kdc/
master_key_type = des3-hmac-sha1
3DES was deprecated by NIST in 2017, i.e. give years ago! Reference: https:/
SHA-1 was deprecated as well, in 2011, i.e. eleven years ago! Reference: https:/
A reasonable default would probably be:
master_key_type = aes256-
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: krb5-kdc 1.19.2-2
ProcVersionSign
Uname: Linux 5.15.0-40-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckR
Date: Thu Jul 14 12:34:22 2022
InstallationDate: Installed on 2022-05-30 (45 days ago)
InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220421)
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_IE.UTF-8
SHELL=/bin/bash
SourcePackage: krb5
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- git-ubuntu bot: Approve
- Robie Basak: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 28 lines (+8/-1)2 files modifieddebian/changelog (+7/-0)
debian/kdc.conf (+1/-1)
Changed in krb5 (Ubuntu): | |
status: | New → Confirmed |
Changed in krb5 (Debian): | |
status: | Unknown → Fix Released |
tags: | added: bitesize server-todo |
Changed in krb5 (Ubuntu Jammy): | |
status: | New → Triaged |
Changed in krb5 (Ubuntu): | |
importance: | Undecided → Medium |
Changed in krb5 (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in krb5 (Ubuntu Jammy): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in krb5 (Ubuntu Jammy): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
A helpful hwoto for users who want to update the weak KDC master key with state-of-the-art crypto: /docs.oracle. com/cd/ E36784_ 01/html/ E37126/ st-mkey- 1.html
https:/