Kodiak,

I'm actually in the midst of this now.  Our company is running a 'deprecated protocols' project, where they're trying to eliminate rc4 encryption, SNMPv1, v2c and a few other weak protocols I won't mention here.

For AD, that eventually means change the LDAP attribute msDS-SupportedEncryptionTypes of the computer accounts to a value of 24 (i.e., AES256 and AES120 only).  See:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797 for values of this LDAP attribute msDS-SupportedEncryptionTypes.

Also, you have to ensure that any AD cross-domain trusts are not using rc4.  (That bit us).

For Linux servers, that means modifying the /etc/ssh/sshd_config file, the /etc/krb5.conf and maybe the /etc/krb5.conf.d/* files.

In RHEL8/9, the sshd ciphers are managed by the system-wide crypto-policies.  See man page for 'update-crypto-polciies'.    The details of how the ciphers are managed between RHEL8 and 9 differ in the back-end, but you probably don't care about that level of detail.

In RHEL 6/7, you edit the /etc/ssh/sshd_config file and edit the 'Ciphers' line.

For sssd and kerberos, again in RHEL8/9 it is managed by the system-wide crypto policies.    Which sets up an /etc/krb5.conf.d/crypto-policies file (a symlink).  It has 'permitted_enctypes'.  

For RHEL 6/7, as you state -- you set permitted_enctypes in /etc/krb5.conf or /etc/krb5.conf.d/*.   These encryptions are tried in the order listed, so you put your strongest encryptions first (AES256).

If you have an existing /etc/krb5.conf file with default_tkt_enctypes or default_tgs_enctypes, those settings are used preferentially over permitted_enctypes.

I'm not aware that sssd.conf file specifies encryption types directly.  At least in our company's sssd.conf files, it does not.

Spike White


On Wed, Mar 29, 2023 at 7:19 AM Kodiak Firesmith <firesmith@protonmail.com> wrote:
Hi Folks,

I'm nominally aware that the ability for adcli joins to honor custom enctypes became a thing around 2018, but I'm having a heck of a time finding guidance online for setting permitted enctypes so that keytabs don't create keys for DES and RC4.  

Our environment uses a mixture of SSSD 2.2.3, and 2.6.3, joining to MS Active Directory, which my Windows admins have said run MS Server 2019 with Active Directory 2016.

I've been digging around on search engines and picking through various krb5 docs, and I think SSSD will refer to krb5.conf, and might be reading supported_enctypes or permitted_enctypes, but I'm not sure how to put it all together.

Thanks very much!
 - Kodiak Firesmith

Sent with Proton Mail secure email.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue