1

I'm having trouble exporting and importing kerberos keys into openafs.

My first problem is that when using addprinc and ktadd commands in kadmin.local, the encryption key type -e option appears to be ignored. For example when I try to add a key of type des-cbc-crc:v4, a key of type aes256-cts-hmac-sha1-96 appears to be added instead:

kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/afs.ktab afs Entry for principal afs with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/afs.ktab. Entry for principal afs with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/afs.ktab.

The same happens with addprinc, I try to specify -e DES-CBC-CRC:md5 for the key type but this appears to be ignored and end up with a aes128-cts-hmac-sha1-96 key:

$ kadmin.local Authenticating as principal root/[email protected] with password. kadmin.local: addprinc -policy service -randkey -e DES-CBC-CRC:md5 afs WARNING: policy "service" does not exist Principal "[email protected]" created. kadmin.local: getprinc afs Principal: [email protected] Expiration date: [never] Last password change: Mon May 27 18:22:21 EDT 2024 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon May 27 18:22:21 EDT 2024 (root/[email protected]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 1, aes256-cts-hmac-sha1-96 Key: vno 1, aes128-cts-hmac-sha1-96 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: service [does not exist] kadmin.local:

Additionally, when I try to import this key using asetkey, I get an unreadable error message:

sudo asetkey add 4 /tmp/afs.ktab afs asetkey: unknown RPC error (-1765328203) for keytab entry with Principal [email protected], kvno 4, DES-CBC-CRC/MD5/MD4

Reading the asetkey manpage I see a strong recommendation against using the des-cbc-crc key type and using the rxkad-k5 extension instead:

A modern AFS cell should be using the rxkad-k5 extension, or risks terribly insecure operation (complete cell compromise for $100 in 1 day). The keys used for rxkad-k5 operation are stored in the KeyFileExt. Cells not using the rxkad-k5 extension (i.e., stock rxkad) use keys of the des-cbc- crc encryption type, which are stored in the KeyFile.

Reading further, the KeyFileExt man page says that trying to add rxkad-k5 keys requires specifying a krb5 encryption type number, which is distinct from a string identifier:

Using asetkey(8) to add rxkad-k5 keys to the KeyFileExt also requires specifying a krb5 encryption type number. Since the encryption type must be specified by its number (not a symbolic or string name), care must be taken to determine the correct encryption type to add.

I'm stuck with a lot of related questions:

  1. Why does kadmin appear to ignore my specified encryption type?

  2. How do I determine if my openafs is using the rxkad-k5 extension? I searched debian packages via apt-cache search rxkad-k5 and rxkad and found nothing.

  3. Since aes256-cts-hmac-sha1-96 looks like a string identifier, how can I determine the "krb5 encryption type number" for this encryption in order to import it via asetkey?

  4. I noticed openafs-krb5 is a separate package from openafs-{fileserver,dbserver,client}. Is there a recommended way of managing openafs authentication on debian without setting up kerberos?

  5. I found that akeyconvert claims to help importing keys from the krb5 keytab format to the KeyFileExt format. Should I be using akeyconvert to convert my afs.keytab key into openafs?

Improve this question

2 Answers 2

Reset to default
1

After reading more about akeyconvert, it appears that it is the tool I needed to import keys into openafs. The tool expects to find the input krb5 key in /etc/openafs/server/rxkad.keytab and outputs the openafs-compatible key into /etc/openafs/server/KeyFileExt:

sudo cp /tmp/afs.ktab /etc/openafs/server/rxkad.keytab sudo akeyconvert -all 
$ sudo asetkey list rxkad_krb5 kvno ? enctype ?; key is: ???????????????????????????????? rxkad_krb5 kvno ? enctype ?; key is: ???????????????????????????????????????????????????????????????? All done.
Improve this answer
0

Why does kadmin appear to ignore my specified encryption type?

MIT Kerberos has disabled single-DES by default in Krb5 1.17 (with the allow_weak_crypto option to re-enable it) and completely removed single-DES support in Krb5 version 1.18.

Most likely, though, you do not need it; all recent OpenAFS versions (1.6.5 or later, backported to 1.4.15+) support non-DES service keys – if you had an rxkad.keytab before, then you were already running a version of OpenAFS that had rxkad-k5 support.

How do I determine if my openafs is using the rxkad-k5 extension? I searched debian packages via apt-cache search rxkad-k5 and rxkad and found nothing.

rxkad-k5 & rxkad-kdf were added in OpenAFS 1.6.5 (and backported to 1.4.15 for the 1.4 series).

All versions of OpenAFS that use KeyFileExt (i.e. 1.8.x) already support rxkad-k5 & rxkad-kdf.

Even the original rxkad-k5 is already obsolete as it still expects the KDC to return DES session keys in the Kerberos ticket (due to the AFS rxkad token format only having space for a 56-bit session key). Since that's no longer going to happen with a modern KDC, your aklog will actually use a variant called rxkad-kdf, which derives the AFS 56-bit session key from whatever strong key the Kerberos ticket provides.

(It's still a 56-bit session key either way, though… but at least it has a very limited lifetime – still much better than having a 56-bit service key that nobody rotates for centuries.)

OpenAFS 1.9 is supposed to have proper Kerberos 5 support via rxgk but that's going to take another decade or two to be released.

Since aes256-cts-hmac-sha1-96 looks like a string identifier, how can I determine the "krb5 encryption type number" for this encryption in order to import it via asetkey?

You can look it up in the IANA Kerberos parameters registry.

I noticed openafs-krb5 is a separate package from openafs-{fileserver,dbserver,client}. Is there a recommended way of managing openafs authentication on debian without setting up kerberos?

No. This package likely exists for either packaging dependency reasons (Debian likes to split things up), and/or as a relic from the OpenAFS kaserver era.

AFS authentication was always Kerberos-based, but originally it had a kaserver component that implemented a slightly-incompatible AFS flavor of Kerberos IV (i.e. the original "rxkad"). The kaserver was essentially a Kerberos IV KDC with AFS-style administration tools (the 'kas' command similar to 'pts') and of course with Ubik database replication.

(This is where the "DES only" limitation of AFS comes from, by the way – Kerberos IV only supported DES and so did the AFS kaserver, so the rxkad tokens are sized to fit only 56-bit keys to this day.)

So from a Debian packaging perspective, a few releases ago, you would've had a choice between installing an aklog that gets rxkad tokens directly from a kaserver, and an aklog that gets Krb5 tickets and converts those into rxkad tokens.

But as Krb4 is completely obsolete nowadays (it had some critical issues on top of being limited to single-DES), the kaserver has been removed from OpenAFS and you're supposed to run a standard Kerberos 5 KDC alongside.

I found that akeyconvert claims to help importing keys from the krb5 keytab format to the KeyFileExt format. Should I be using akeyconvert to convert my afs.keytab key into openafs?

Yes, you should use akeyconvert, but if you wanted to use asetkey, it could be done like this:

#!/usr/bin/env bash # https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml declare -A etypes=( ["aes256-cts-hmac-sha1-96"]=18 ["aes128-cts-hmac-sha1-96"]=17 ["des3-cbc-sha1"]=16 ["arcfour-hmac"]=23 ) declare keytab="/etc/openafs/server/rxkad.keytab" declare ThisCell=$(< /etc/openafs/ThisCell) # NOTE: This expects the MIT flavor of `klist`. klist -ekt "$keytab" | while read -r kvno _ _ princ etype; do princ=${princ%%@*} if [[ "$princ" == "afs/$ThisCell" ]]; then etype=${etype//[()]} etype_id=${etypes[$etype]} if [[ "$etype_id" ]]; then (set -x; asetkey add rxkad_krb5 "$kvno" "$etype_id" "$keytab" "$princ") else echo "$0: unknown etype $etype" >&2 fi fi done
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.