How to Remove Old DES Entries from Keytabs
Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
Issue
DES encryption is quite old and keytabs that use it should be removed unless they are absolutely necessary.
NOTE: This method can be used to remove keytab entries of any type, but for this article we will be focusing on the entries with DES encryption.
Resolution
Prerequisite steps and information
-
Ensure
krb5-workstationis installed;# yum install krb5-workstation -
For example purposes, the Principal's hostname is
ipa1.example.local@EXAMPLE.LOCAL, the ciphers removed arearcfour-hmacanddes3-cbc-sha1, and the revised keytab is named/etc/new_krb5.keytab.Note: one or more of these will likely be different and should reflect the needs of the target environment.
Workflow
-
Run
ktutil, a shell used to interact with and edit keytabs;# ktutil -
Load the keytab for editing;
ktutil: read_kt /etc/krb5.keytab -
List the keytab entries to find the slot number used to identify which entry will be removed;
ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 host/ipa1.example.local@EXAMPLE.LOCAL (aes256-cts-hmac-sha1-96) 2 2 host/ipa1.example.local@EXAMPLE.LOCAL (aes128-cts-hmac-sha1-96) 3 2 host/ipa1.example.local@EXAMPLE.LOCAL (des3-cbc-sha1) <--- 4 2 host/ipa1.example.local@EXAMPLE.LOCAL (arcfour-hmac) <--- 5 2 host/ipa1.example.local@EXAMPLE.LOCAL (camellia128-cts-cmac) 6 2 host/ipa1.example.local@EXAMPLE.LOCAL (camellia256-cts-cmac) -
arcfour-hmacanddes3-cbc-sha1are in slots 3 and 4. Here, slot 4 and then slot 3 are deleted in that specific order to accommodate shifts in the table indexing due to entry removal.Note: in order to mitigate potential errors in entry removal due to shifting entries, removing keys from bottom to top is strongly recommended;
ktutil: delete_entry 4 ktutil: delete_entry 3 -
Double check the revised entry list before saving the changes;
ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 host/ipa1.example.local@EXAMPLE.LOCAL (aes256-cts-hmac-sha1-96) 2 2 host/ipa1.example.local@EXAMPLE.LOCAL (aes128-cts-hmac-sha1-96) 3 2 host/ipa1.example.local@EXAMPLE.LOCAL (camellia128-cts-cmac) 4 2 host/ipa1.example.local@EXAMPLE.LOCAL (camellia256-cts-cmac) -
Save the revisions to a new keytab;
ktutil: write_kt /etc/new_krb5.keytab -
Exit
ktutil;ktutil: exit -
Double check the newly created keytab for correctness;
# klist -ek /etc/new_krb5.keytab Keytab name: FILE:/etc/new_krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/ipa1.example.local@EXAMPLE.LOCAL (aes256-cts-hmac-sha1-96) 2 host/ipa1.example.local@EXAMPLE.LOCAL (aes128-cts-hmac-sha1-96) 2 host/ipa1.example.local@EXAMPLE.LOCAL (camellia128-cts-cmac) 2 host/ipa1.example.local@EXAMPLE.LOCAL (camellia256-cts-cmac)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments