Skip to Content.
Sympa Menu

linux-announce - Re: [[Linux-announce] ] arcfour keytab issues

linux-announce AT

Subject: Linux Mailing List

List archive

Re: [[Linux-announce] ] arcfour keytab issues

Chronological Thread  
  • From: "Konrad Bucheli (PSI)" <konrad.bucheli AT>
  • To: linux-announce AT
  • Cc: Kohler Marco <marco.kohler AT>
  • Subject: Re: [[Linux-announce] ] arcfour keytab issues
  • Date: Thu, 30 Nov 2023 13:57:00 +0100
  • Arc-authentication-results: i=1; 1; spf=pass (sender ip is; dmarc=pass (p=none sp=none pct=100) action=none; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NMtcwbXh1hl+U5QqK30Wwqhpf41+oUUQl7x10JIBQZs=; b=j55CPR1CZcY3PUfLsN8AUuLo0m5OzNrLR7Ref+4lUptzy+XQtPtPcolH94v+F/buQhOuVvfi8nrGMe2wdQ7MImp7Mlg1vwOprZ/pswdib3LS6kbh3PcsCwZG5cQFEkRWTKkHN+LiSMzMLNC9W40FVcb+IvFXGD2J0RwshSFjRX3w36h7sagpQ2vBiTrElbx7prfmcRrjDbsiRdyGBIoufuIbXvMtxAjJLLWEKAAQkZsAa8wwargSN0Dy1pOKLs+384LJaf+zeR1/GJjLg1UHSQGim0ZhCrPnb0g7Bqc2MNHz2R663H0ZyHZKwZRH3bXUU5bNZLdK754w1+8G13Ga6g==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=mf8uHWxaNYxKsNKeGg50Amu1MtaF68OicID2bT3g+5NkLiOSE86UiYTtFGTQZWKFqbc0TnVqz5rotdzKYGCz11MoeOWz3BOjzsxJS0Pgf1Gni7NK1dIDmLsWps7Ot7ka4v0NUbwPqQJ2cGgDuHZDYv80B83irMWAQFYJ2pVUtc89d6mOawmVvSQ1PA7lfqaASJod74HzX8I/ihusf0kDphvEUNhU+Q1ccD4hUJND9RcZVvOTRQFctnTGeoOSJysPxdeYG71hVigGOgWwmorj2AUQ+bVvkn+7i8MUreTjFHcSMTOz8rSOYC2MfJiTLfTlCzmGiwiTCSBgEgkLBxbLLw==
  • Authentication-results:; iprev=pass ( smtp.remote-ip=; spf=pass; dkim=pass header.s=selector2 header.a=rsa-sha256; dmarc=pass
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none;

PS: mit RHEL9 werden wir kein arcfour-hmac mehr anbieten

On 30.11.23 13:53, Konrad Bucheli (PSI) wrote:

With Release 8.9 of RedHat Enterprise Linux arcfour-hmac was removed from the legacy crypto algorithm set of Kerberos. As this is still used in some keytabs I brought it back today with an emergency release of our Puppet code.

Nonetheless please check your keytabs for the cryto algorithms used:

# klist -e -d -K -k /path/to/example.keytab
Keytab name: FILE:/path/to/example.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 gac-example AT D.PSI.CH (DEPRECATED:arcfour-hmac) (0xb1223971f9cf567d71680b9b366b3126)

and if it is just arcfour-hmac please consider scheduling a replacement. To do so please contact the AD-Team (Marco Kohler).

Please check the date on the security advisory by Microsoft suggesting to disable RC4:

Kind regards

Paul Scherrer Institut
Konrad Bucheli
Linux Systems Engineer
Core Linux Research Services
Science IT Infrastructure and Services department (AWI)
Forschungstrasse 111
5232 Villigen PSI

Phone: +41 56 310 27 24
konrad.bucheli AT

Archive powered by MHonArc 2.6.24.

Top of Page