This site requires JavaScript to be enabled
An updated version of this article is available

How to re-key your host Kerberos principal with AES only

6 views

5.0 - Updated on 2021-02-19 by Carlos Salazar (Inactive)

4.0 - Updated on 2021-02-17 by Brittany Bossarte

3.0 - Updated on 2021-02-17 by Brittany Bossarte

2.0 - Updated on 2020-11-25 by Brittany Bossarte

1.0 - Authored on 2019-11-05 by Thomas Bozonelos

Intended for:

System administrators and system owners

 


Scenario/Use case:

Advancements in computational ability have rendered some encryption methods (e.g., DES and 3DES) vulnerable to attacks, therefore they are deprecated and replaced by another encryption method called AES. System administrators and system owners should re-key their host Kerberos principal with AES as soon as possible.

 

This article provides instructions on how to:


Instructions:

How to re-key your host Kerberos principal with AES only

 

Step 1: Run these commands to re-key your host Kerberos principal with AES only.

 

1) View your current keytab.

klist -kte /etc/krb5.keytab

NOTE: This will list all current keys on your machine. All of these will either need to be re-keyed or removed.

 

2) Re-key your host Kerberos principal with AES only.

kadmin -kt /etc/krb5.keytab -q "ktadd -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal host/${HOSTNAME}.fnal.gov@FNAL.GOV"

 

 

3) If you have an ftp principal and need to re-key, run this command.

kadmin -kt /etc/krb5.keytab -p ftp/${HOSTNAME}.fnal.gov@FNAL.GOV -q "ktadd -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal ftp/${HOSTNAME}.fnal.gov@FNAL.GOV"

NOTE: If you do not run an FTP service, this principal should be removed from your machine.

 

 

4) Remove old keytabs.

kadmin -kt /etc/krb5.keytab -q "ktremove host/${HOSTNAME}.fnal.gov@FNAL.GOV old"

NOTE: If you do not want to cause issues for users, or do not want them to have to kdestroy, wait at least 8 days to remove old keys.

 

 

Step 2: After re-keying, you must do the following.

 

1) Destroy your ticket by running this command.

kdestroy

 

2) Get a new ticket for the username that can connect to the remote host by running this command.

kinit <username>

  

3) Connect back to your remote host.

  

4) Run tests to make sure that your remote host works as before.

 

NOTE: If re-keying with AES doesn’t work for you, you can re-key your host Kerberos principal back to use DES and 3DES by running these commands:

 

1) Re-key your host Kerberos principal back to use DES and 3DES.

kadmin -kt /etc/krb5.keytab -q "ktadd host/${HOSTNAME}.fnal.gov@FNAL.GOV"

 

2) Remove old keytabs.

kadmin -kt /etc/krb5.keytab -q "ktremove host/${HOSTNAME}.fnal.gov@FNAL.GOV old" 

 

3) Perform the same steps under the heading “Step 2: After re-keying, you must do the following”. 


How to troubleshoot common re-keying issues

 

1) Error message: ssh_packet_read: Connection closed

 

    Reason for the error: If you see this error when trying to connect back to your remote host after re-keying, please wait up to 20 minutes for the

    propagation to occur.

 

2) Error message: kadmin: Preauthentication failed while initializing kadmin interface

 

    Reason for the error: This may mean that you have entered the wrong password.

 

3) Error message: kadmin: Keytab contains no suitable keys for host/localhost@ while initializing kadmin interface

 

    Reason for the error: This may mean that the remote host is not on the network and cannot talk to the KDCs.

 

4) Error message: ktadd: Invalid argument while parsing keysalts aes256-cts-hmac-sha1-96:normal,aes128-cts-hmacsha1-96:normal

 

    Reason for the error: This means that you have a typo when typing the command.

 

5) Error message: kadmin: Client's entry in database has expired while initializing kadmin interface

 

    Reason for the error: This means that the Kerberos principal you are trying to use has expired.

 

6) Error message: kadmin: Pre-authentication failed: Permission denied while initializing kadmin interface

 

    Reason for the error: This means that you do not have the permission to edit or update the keytab on the remote host.