Skip to Content.
Sympa Menu

linux-announce - [[Linux-announce] ] arcfour keytab issues

linux-announce AT lists.psi.ch

Subject: Linux Mailing List

List archive

[[Linux-announce] ] arcfour keytab issues


Chronological Thread  
    < Chronological >       < Thread >
  • From: "Konrad Bucheli (PSI)" <konrad.bucheli AT psi.ch>
  • To: linux-announce AT lists.psi.ch
  • Cc: Kohler Marco <marco.kohler AT psi.ch>
  • Subject: [[Linux-announce] ] arcfour keytab issues
  • Date: Thu, 30 Nov 2023 13:53:53 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 104.47.22.41) smtp.rcpttodomain=lists.psi.ch smtp.mailfrom=psi.ch; dmarc=pass (p=none sp=none pct=100) action=none header.from=psi.ch; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=giPB5Vvv1sgPimyJYls6yHAZJW/7FfPBcXdYiraFJkA=; b=B2BUIKarZx38DYE/feqVQLdDAE8beItsv04c9LUCGpACQaqXu3UQEDsZy8LM6MbRxUC9wIu4e+FoXGROdRkRzj4hE5YrbBOG6DrF+ZyLSo/RCJvIRnVrU/pLXiVcs5jmp1S8FItY4/DsRciYHXvGYz7emEA3an+S3oAjaPHzSsHAzA2mCYPetpXVOP1Ip9DnxGOMy/KZmqjs6JegJokh1/Gj0sfENd3W18OZqHe+SjEVQEWUJxYMYK+1dimTfYsof3V1YDxFD8TxadQVYu2AW62jSnsnAyT3rToFpnzlG3I3XyWFEQi1iXjFptp4S9YNxXqtYTnSYHzO2Y1oXXF8Zw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=icI0Sjpb7dH/hAvZLJxmt5lwzIMJ+WaspIdYcQAQxgjkczyo1GUEoK1jdJNyWqXdhU5zKzMs3QGLdcDjdwcnOtTfZ7NjZxAX6dyyTfs/Ctpuz6aNi6C26wNSh2pTjT7VgSAtJnB82fy0IofogXHR3nTyhFpmEtvoORlNj9CdSM5wp4ZPa0BG5LH86JLXH7EGI0R7hiudynIGd1VTsEyuV1dYP9BLsUas1DkWD/j4biuMht66sZW+qOKIp1E9Y2lna8Z8T820IuqaraE4VLgPOXFCAlp48ydvgpaUuKnfKALXu91GFb+zJDhr8g/PXCvgq7CVi13mIzmF+tR+Z9A47w==
  • Authentication-results: mc4.ethz.ch; iprev=pass (mail-gv0che01on2043.outbound.protection.outlook.com) smtp.remote-ip=40.107.23.43; spf=pass smtp.mailfrom=psi.ch; dkim=pass header.d=psi.ch header.s=selector2 header.a=rsa-sha256; dmarc=pass header.from=psi.ch
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=psi.ch;
Hi

With Release 8.9 of RedHat Enterprise Linux arcfour-hmac was removed from the legacy crypto algorithm set of Kerberos. As this is still used in some keytabs I brought it back today with an emergency release of our Puppet code.

Nonetheless please check your keytabs for the cryto algorithms used:

# klist -e -d -K -k /path/to/example.keytab
Keytab name: FILE:/path/to/example.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 gac-example AT D.PSI.CH (DEPRECATED:arcfour-hmac) (0xb1223971f9cf567d71680b9b366b3126)
#

and if it is just arcfour-hmac please consider scheduling a replacement. To do so please contact the AD-Team (Marco Kohler).

Please check the date on the security advisory by Microsoft suggesting to disable RC4:
https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2868725

Kind regards
Konrad

--
Paul Scherrer Institut
Konrad Bucheli
Linux Systems Engineer
Core Linux Research Services
Science IT Infrastructure and Services department (AWI)
OBBA/230
Forschungstrasse 111
5232 Villigen PSI
Switzerland

Phone: +41 56 310 27 24
konrad.bucheli AT psi.ch
www.psi.ch

Archive powered by MHonArc 2.6.24.

Top of Page