How to re-key your host Kerberos principal with AES only

Intended for:

This article is intended for system administrators and system owners.

Scenario/Use case:

Advancements in computational ability have rendered some encryption methods (e.g., DES and 3DES) vulnerable to attacks, therefore they are deprecated and replaced by another encryption method called AES. System administrators and system owners should re-key their host Kerberos principal with AES as soon as possible.

This article provides instructions on how to:

• Re-key your host Kerberos principal with AES
• Troubleshoot common re-keying issues

If you need to re-key non-HOST/FTP principals, the command may be different. If you need assistance re-keying your special principal, please put in a Service Desk ticket for assistance if you do not have a procedure in place.

Instructions:

How to re-key your host Kerberos principal with AES only

Step 1: Run these commands to re-key your host Kerberos principal with AES only.

NOTE: These commands should only be ran by the Administrator of the host and should be ran as root

1) View your current keytab.

klist -kte /etc/krb5.keytab

NOTE: This will list all current keys on your machine. All of these will either need to be re-keyed or removed.

If you are using a MacBook, do the following:

ktutil --keytab=mykeytab list
ktutil -k mykeytab list
Replace mykeytab with the path to the keytab file

2) Re-key your host Kerberos principal with AES only.

kadmin -kt /etc/krb5.keytab -q "ktadd host/${HOSTNAME}@FNAL.GOV"

3) If you have an ftp principal and need to re-key, run this command.

kadmin -kt /etc/krb5.keytab -p ftp/${HOSTNAME}@FNAL.GOV -q "ktadd ftp/${HOSTNAME}@FNAL.GOV"

NOTE: If you do not run an FTP service, this principal should be removed from your machine.

1. Removing ftp principal

kadmin -kt /etc/krb5.keytab -q "ktremove ftp/${HOSTNAME}@FNAL.GOV"

4) Remove old keytabs.

kadmin -kt /etc/krb5.keytab -q "ktremove host/${HOSTNAME}@FNAL.GOV old"

NOTE: If you do not want to cause issues for users, or do not want them to have to kdestroy, wait at least 8 days to remove old keys.

Step 2: After re-keying, you must do the following.

1) Wait about 20 minutes for propagation.

2) Destroy your ticket by running this command.

kdestroy

3) Get a new ticket for the username that can connect to the remote host by running this command.

kinit <username>

4) Connect back to your remote host.

5) Run tests to make sure that your remote host works as before.

NOTE: If re-keying with AES doesn’t work for you, please open a ticket with Service Desk.

How to troubleshoot common re-keying issues

1) Error message: ssh_packet_read: Connection closed

    Reason for the error: If you see this error when trying to connect back to your remote host after re-keying, please wait up to 20 minutes for the propagation to occur.

2) Error message: kadmin: Preauthentication failed while initializing kadmin interface

    Reason for the error: This may mean that you have entered the wrong password.

3) Error message: kadmin: Keytab contains no suitable keys for host/localhost@ while initializing kadmin interface

    Reason for the error: This may mean that the remote host is not on the network and cannot talk to the KDCs.

4) Error message: ktadd: Invalid argument while parsing keysalts aes256-cts-hmac-sha1-96:normal,aes128-cts-hmacsha1-96:normal

    Reason for the error: This means that you have a typo when typing the command.

5) Error message: kadmin: Client's entry in database has expired while initializing kadmin interface

    Reason for the error: This means that the Kerberos principal you are trying to use has expired.

6) Error message: kadmin: Pre-authentication failed: Permission denied while initializing kadmin interface

    Reason for the error: This means that you do not have the permission to edit or update the keytab on the remote host.