Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

How to Require Strong Encryption in Kerberos

This procedure completely disables the use of the arcfour-hmac and des3-cbc-sha1 encryption types.


Caution  -  This procedure breaks interoperability for deployments that join Oracle Solaris systems to domains and forests that are using weaker encryption.


  1. On the KDC, require strong encryption types for all tickets.

    Modify the permitted encryption types in the [libdefaults] section of the krb5.conf file.

    kdc # cd /etc/krb5
    kdc # pfedit krb5.conf
         [libdefaults]
         ... 
         permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  2. On Kerberos clients, require strong encryption types for all tickets.

    Modify the default encryption types in the [libdefaults] section of the krb5.conf file.

    Kerberos-client # cd /etc/krb5
    Kerberos-client # pfedit krb5.conf
        [libdefaults]
         ...
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96