-
Title
Restricting Kerberos Encryption types to AES on Safeguard Authentication Services (SAS) clients. RC4 removal. -
Description
Due to the RC4 encryption type no longer being considered secure applications have or are moving away from its use.
Steps to ensure that the Safeguard Authentication Services (SAS) application is no longer using RC4 are required.
-
Cause
RC4 support for AD Kerberos authentication is being removed as part of Microsoft's cumulative security updates. -
Resolution
This setup relies on the domain being set up properly to handle AES.
This includes having krbtgt and trusts set to AES and having their passwords changed to make the new keys.
The following article from Microsoft goes into further detail about DC behavior and restricting it to AES only:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797
This command helps check trusts for AES enablement:
/opt/quest/bin/vastool kinit host/; for d in `/opt/quest/bin/vastool info domains`; do echo $d; /opt/quest/bin/vastool search -b "cn=system,`echo $d | sed -e 's/\(.*\)/DC=\1/' -e 's/\./,DC=/g'`" -s one "(objectClass=trustedDomain)" dn msds-supportedencryptiontypes; echo; done
If nothing is set, the default behavior depends on the Windows server version of the DC and the state of the changes from:
https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
The krbtgt account will also need to be AES enabled if not already.
Please look to Microsoft articles for further guidance on setting up AD properly for AES.
STEPS for SAS clients:
Run the following commands on each host. This could be automated in a script GPO:
# This tells AD to only give out AES128/256 encrypted tickets for the computer object host/<fqdn> service.
/opt/quest/bin/vastool -u host/ setattrs host/ msds-supportedencryptiontypes 24
# This tells SAS/vastool to only request AES tickets for user's logging in with a password.
/opt/quest/bin/vastool configure vas libdefaults default_etypes aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
# This sets up vasd to remove rc4 keys during each password change so there is no way SAS could validate an rc4 key if AD provided one.
printf '#!/bin/sh\n/opt/quest/bin/vastool ktutil remove -e arcfour-hmac-md5\n' > /opt/quest/libexec/vas/scripts/remove_rc4.sh
chmod +x /opt/quest/libexec/vas/scripts/remove_rc4.sh
/opt/quest/bin/vastool configure vas vasd password-change-script /opt/quest/libexec/vas/scripts/remove_rc4.sh
# Restart the vasd daemon. The native OS restart commands can be used, such as systemctl on Red Hat, or the following command, which can be run on any supported OS with SAS installed:
/opt/quest/bin/vastool daemon restart vasd# Have host/ rotate it's password and impliment the new script
/opt/quest/bin/vastool -u host/ passwd -r
# Verify that there are no keys other than AES in the keytab.
/opt/quest/bin/vastool ktutil list
# Use host/ as both a user and a user logging into host/ as a service to check ticket etypes.
/opt/quest/bin/vastool kinit -S host/ host/
/opt/quest/bin/vastool klist -vThis command will clear the current ticket, run the above commands, and list out only the ticket etype to confirm AES only is seen.
/opt/quest/bin/vastool kdestroy > /dev/null; /opt/quest/bin/vastool kinit -S host/ host/; /opt/quest/bin/vastool klist -v | grep -e "et e" -e "on k" | sed 1,2d
NOTE: If a keytab for a service account was created with < QAS 4.1.5 the AES keys could be salted incorrectly, breaking them. The password / keytab should be re-made with a newer SAS version or generated from a Windows system.
-
Change Request
438458 -
Additional Information
There are plans to implement an AES-only configuration feature in a future version of SAS. For reference, the change request ID for this feature is 438458. This KB is to assist in meeting audit requirements that are needed before that is released.