-
Title
Weak encryption type des-cbc-crc is in the vas.conf file, does this mean it's being used. -
Description
The following Kerberos encryption type is seen in the vas.conf configuration file. Does this mean that it is being used?
default_etypes_des = des-cbc-crc -
Resolution
The current default encryption type that Authentication Services uses is RC4, specifically arcfour-hmac-md5 which is strong.
Authentication Services has the option to use weak encryption types, DES and DES3. This doesn't mean however that it's being used and in most cases a customer would have to go out of there way to use it. This encryption type was disabled by default as of Windows 2008R2 Server.
There are two configuration lines in the vas.conf file for this (/etc/opt/quest/vas/vas.conf).
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
If you can confirm with your AD team that DES encryption is not not being used for anything then you can safely remove the "default_etypes_des = des-cbc-crc" line from the vas.conf file. Again though, that line being there does not mean it's being used.
As of 4.1.0-22419 DES was removed from the default enc types and additional support for AES included as per this code change.Bug 590282* krb5: Remove DES from default enc types. When the user name is unknown, usea handshake to obtain the correct salt value for AES encryption instead ofsending a potentially bad packet before sending the correctly salted hash.
We also have an Enhancement request raised to remove the 'default_etypes_des' option from vas.conf in a future release of Authentication services:---------------------------------
228495 - Remove default_des_types from vas.conf
---------------------------------