In Red Hat Enterprise Linux 6, Kerberos clients and servers (including KDCs) will default to not using keys for the ciphers des-cbc-crc
, des-cbc-md4
, des-cbc-md5
, des-cbc-raw
, des3-cbc-raw
, des-hmac-sha1
, and arcfour-hmac-exp
. By default, clients will not be able to authenticate to services which have keys of these types.
Most services can have a new set of keys (including keys for use with stronger ciphers) added to their keytabs and experience no downtime, and the ticket granting service's keys can likewise be updated to a set which includes keys for use with stronger ciphers, using kadmin's cpw -keepold
command.
As a temporary workaround, systems that need to continue to use the weaker ciphers require the
allow_weak_crypto
option in the
libdefaults section of the
/etc/krb5.conf
file. This variable is set to
false by default, and authentication will fail without having this option enabled:
[libdefaults]
allow_weak_crypto = yes
Additionally, support for Kerberos IV, both as an available shared library and as a supported authentication mechanism in applications, has been removed. Newly-added support for lockout policies requires a change to the database dump format. Master KDCs which need to dump databases in a format which older KDCs can consume should run kdb5_util's dump
command with the -r13
option.