Re: Trouble with kerberos encryption types

[Daniel Kobras <kobras@xxxxxxxxxxxxx>]

Hi!

Am 09.05.25 um 23:03 schrieb Orion Poplawski:
> On 5/9/25 13:55, Orion Poplawski wrote:
> > On 5/9/25 07:21, Daniel Kobras wrote:
> > > Hi!
> > >
> > > Am 07.05.25 um 19:39 schrieb Orion Poplawski:
> > > > I tried adding this to the mac without any change:
> > > >
> > > > [libdefaults]
> > > > permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
> > > > aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
> > > > camellia128-cts-cmac
> > > > default_tgs_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
> > > > aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
> > > > camellia128-cts-cmac
> > >
> > > Those are options for MIT's libkrb5. Unless you're using a non-default stack
> > > on the mac, you probably want to use Heimdal's default_etypes, or the more
> > > specific default_as_etypes/default_tgs_etypes instead.
> >
> > I ended up slimming down to:
> >
> >    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> >    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> >    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> >
> > but those are the option names from man krb5.conf on the mac.
>
> I should have trusted you :) - I finally came across this:
>
> https://services.dartmouth.edu/TDClient/1806/Portal/KB/ArticleDet?ID=89203
>
> which has:
>
>          default_etypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
>
> and setting that does fix the skey encryption type.

Thanks for the update. So the heuristic to derive the enctype for the 
forwarded TGT from the service ticket seems to be specific to MIT, 
whereas Heimdal apparently just uses a client-side default.

> I'm still stuck with the non-renewable ticket that they mention as well, so it
> seems like GSSAPI auth from a mac is not very useful.

That's another Heimdal-specific behavior, which means that the renewal 
of delegated tickets needs to be driven from the delegating side. With 
OpenSSH, this is possible with the following settings:

ssh server:
  GSSAPIKeyExchange yes
  GSSAPIStoreCredentialsOnRekey yes

ssh client:
  GSSAPIKeyExchange yes
  GSSAPIRenewalForcesRekey yes


If this is not sufficient because the NFS client requires tickets beyond 
the lifetime of the ssh session, then maybe a different approach like 
gssproxy's impersonation feature (cf. 
<https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#user-impersonation-via-constrained-delegation>) 
is more suitable?

Kind regards,

Daniel
--
Daniel Kobras
Principal Architect
Puzzle ITC Deutschland
+49 7071 14316 0
www.puzzle-itc.de

--
Puzzle ITC Deutschland GmbH
Sitz der Gesellschaft: Eisenbahnstraße 1, 72072 
Tübingen

Eingetragen am Amtsgericht Stuttgart HRB 765802
Geschäftsführer: 
Lukas Kallies, Daniel Kobras, Mark Pröhl