Where did AES256 go?This is a discussion on Where did AES256 go? within the solaris forums in Operating Systems category; I'm confused... I have a Kerberos KDC that apparently used to be able to create AES256 keys, but now for some unknown reason has stopped supporting it - and I can't figure out why and where!? Setup: Solaris 10 5/08, fully patched with all the latest patches KDC is running in a zone on a Sun Netra X1: AES256 is available: # cryptoadm list User-level providers: Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so Kernel software providers: swrand rsa md5 sha2 sha1 blowfish448 arcfour2048 aes256 des Kernel hardware providers: Defaults are used ... | ||||||||
| | ||||||||
| ||||||||
| Register | FAQ | Calendar | Search | Today's Posts | Mark Forums Read |
|
#1
08-28-2008, 02:40 AM
|
 Where did AES256 go? I'm confused... I have a Kerberos KDC that apparently used to be able to create AES256 keys, but now for some unknown reason has stopped supporting it - and I can't figure out why and where!? Setup: Solaris 10 5/08, fully patched with all the latest patches KDC is running in a zone on a Sun Netra X1: AES256 is available: # cryptoadm list User-level providers: Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so Kernel software providers: swrand rsa md5 sha2 sha1 blowfish448 arcfour2048 aes256 des Kernel hardware providers: Defaults are used in krb5.conf and kdc.conf (ie: no "default_tkt_enctypes" or "default_tgs_enctypes") If I run "kadmin" in the zone and "addprinc -randkey" a new host principal I will get one without AES256 support: kadmin: addprinc -randkey host/pi-bootis.ifm.liu.se WARNING: no policy specified for host/pi-bootis.ifm.liu.se-at-IFM.LIU.SE; defaulting to no policy Principal "host/pi-bootis.ifm.liu.se-at-IFM.LIU.SE" created. kadmin: getprinc host/pi-bootis.ifm.liu.se Principal: host/pi-bootis.ifm.liu.se-at-IFM.LIU.SE Expiration date: [never] Last password change: Thu Aug 28 11:12:00 MEST 2008 Password expiration date: [none] Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Last modified: Thu Aug 28 11:12:00 MEST 2008 (peter/admin-at-IFM.LIU.SE) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, ArcFour with HMAC/md5, no salt Key: vno 2, DES cbc mode with RSA-MD5, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none] _However_ - if I look at some older host principals that was created before, the apparently I _was_ able to create such: kadmin: getprinc host/xi-bootis.ifm.liu.se Principal: host/xi-bootis.ifm.liu.se-at-IFM.LIU.SE Expiration date: [never] Last password change: Sun Dec 30 20:54:19 MET 2007 Password expiration date: [none] Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Last modified: Sun Dec 30 20:54:19 MET 2007 (keydist/as-master.ifm.liu.se-at-IFM.LIU.SE) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 7, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 7, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 7, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 7, ArcFour with HMAC/md5, no salt Key: vno 7, DES cbc mode with RSA-MD5, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none] If I now try to use the principals with AES256 keys (ktadd in kadmin) I will get an error... This is pretty annoying to say the least. Any suggestions? (And considering the AES-kernel-problems perhaps I should just globally remove all AES (both AES256 and AES128) keys from all principals and forget about this problem...) - Peter -- -- Peter Eriksson Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786 Physics Department, Linköping University Room: Building F, F203  |
|
#2
08-28-2008, 06:39 AM
|
| Re: Where did AES256 go? Peter Eriksson >I'm confused... >I have a Kerberos KDC that apparently used to be able >to create AES256 keys, but now for some unknown reason >has stopped supporting it - and I can't figure out why >and where!? Ah.. I blame this cold I've got for not remembering what this problem was. I had this issue before. Although I would have thought that this issue should have been fixed by now in Solaris 10 5/08... The problem was that, in the zone running my KDC, the file /etc/crypto/pkcs11.conf contains: /usr/lib/security/$ISA/pkcs11_softtoken.so Whereas in the global zone on the same machine (and on machines where it works) it contains: /usr/lib/security/$ISA/pkcs11_softtoken_extra.so Solution: Change the pkcs11.conf file in all zones... - Peter -- -- Peter Eriksson Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786 Physics Department, Linköping University Room: Building F, F203 |
 |
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
All times are GMT -4. The time now is 04:27 AM.
