This site requires JavaScript to be enabled
An updated version of this article is available

How to re-key your Kerberos principals with AES only

16 views

5.0 - Updated on 2021-02-19 by Carlos Salazar (Inactive)

4.0 - Updated on 2021-02-17 by Brittany Bossarte

3.0 - Updated on 2021-02-17 by Brittany Bossarte

2.0 - Updated on 2020-11-25 by Brittany Bossarte

1.0 - Authored on 2019-11-05 by Thomas Bozonelos

How to re-key your Kerberos principals with AES only

 

Intended for:

This article is intended for system administrators and system owners.

 

Scenario/Use case:

Advancements in computational ability have rendered some encryption methods (e.g., DES and 3DES) vulnerable to attacks, therefore they are deprecated and replaced by another encryption method called AES. System administrators and system owners should re-key their Kerberos principals with AES as soon as possible.

 

This article provides instructions on how to:

 

Instructions:

How to re-key your special Kerberos principal with AES only

 

NOTE: These commands should only be ran by the Administrator of the host that the special principal is located on

 

1) View your current keytab.

klist -kte [location of special principal]

NOTE: This will list all current keys in the keytab with your special principal. All of these will either need to be re-keyed or removed.

 

For example:

klist -kte /var/adm/krb5/example.keytab

 

2) Re-key your special Kerberos principal with AES only.

kadmin -kt [location of keytab for special principal] -p \ [special principal] \ -q "ktadd -k [location of keytab for special principal] \ [special principal]"

 

For example:

kadmin -kt /var/adm/krb5/example.keytab -p \ test/cd/example.fnal.gov@FNAL.GOV \ -q "ktadd -k /var/adm/krb5/example.keytab \ test/cd/example.fnal.gov@FNAL.GOV"

 

3) Remove old keytabs.

kadmin -kt [location of special principal]  -p \ [special principal] \ -q "ktremove -k [location of keytab for special principal] \ [special principal] old"

NOTE: You may need to wait about 20 minutes for propagation for all KDCs to recognize the new key.

 

4) Run tests to make sure that your special principal works as before.

 

NOTE: If re-keying with AES doesn’t work for you, please open a ticket with Service Desk.

 


How to re-key your host Kerberos principal with AES only

 

Step 1: Run these commands to re-key your host Kerberos principal with AES only.

NOTE: These commands should only be ran by the Administrator of the host and should be ran as root.

 

1) View your current keytab.

klist -kte /etc/krb5.keytab

NOTE: This will list all current keys on your machine. All of these will either need to be re-keyed or removed.

 

If you are using a MacBook, do the following:

ktutil --keytab=mykeytab list
ktutil -k mykeytab list
Replace mykeytab with the path to the keytab file

 

2) Re-key your host Kerberos principal with AES only.

kadmin -kt /etc/krb5.keytab -q "ktadd host/${HOSTNAME}@FNAL.GOV"

 

 

3) If you have an ftp principal and need to re-key, run this command.

kadmin -kt /etc/krb5.keytab -p ftp/${HOSTNAME}@FNAL.GOV -q "ktadd ftp/${HOSTNAME}@FNAL.GOV"

NOTE: If you do not run an FTP service, this principal should be removed from your machine.

 

  1. Removing ftp principal.

kadmin -kt /etc/krb5.keytab -q "ktremove ftp/${HOSTNAME}@FNAL.GOV"

 

 

4) Remove old keytabs.

kadmin -kt /etc/krb5.keytab -q "ktremove host/${HOSTNAME}@FNAL.GOV old"

NOTE: If you do not want to cause issues for users, or do not want them to have to kdestroy, wait at least 8 days to remove old keys.

 

 

Step 2: After re-keying, you must do the following.

 

1) Wait about 20 minutes for propagation.

 

2) Destroy your ticket by running this command.

kdestroy

 

3) Get a new ticket for the username that can connect to the remote host by running this command.

kinit <username>

  

4) Connect back to your remote host.

  

5) Run tests to make sure that your remote host works as before.

 

NOTE: If re-keying with AES doesn’t work for you, please open a ticket with Service Desk.

 

How to troubleshoot common re-keying issues

 

1) Error message: ssh_packet_read: Connection closed

 

    Reason for the error: If you see this error when trying to connect back to your remote host after re-keying, please wait up to 20 minutes for the propagation to occur.

 

2) Error message: kadmin: Preauthentication failed while initializing kadmin interface

 

    Reason for the error: This may mean that you have entered the wrong password.

 

3) Error message: kadmin: Keytab contains no suitable keys for host/localhost@ while initializing kadmin interface

 

    Reason for the error: This may mean that the remote host is not on the network and cannot talk to the KDCs.

 

4) Error message: ktadd: Invalid argument while parsing keysalts aes256-cts-hmac-sha1-96:normal,aes128-cts-hmacsha1-96:normal

 

    Reason for the error: This means that you have a typo when typing the command.

 

5) Error message: kadmin: Client's entry in database has expired while initializing kadmin interface

 

    Reason for the error: This means that the Kerberos principal you are trying to use has expired.

 

6) Error message: kadmin: Pre-authentication failed: Permission denied while initializing kadmin interface

 

    Reason for the error: This means that you do not have the permission to edit or update the keytab on the remote host.

 

 

Revised by Brittany Bossarte
Last modified 2021-02-17 16:12:10