On 01/18/2016 07:30 PM, Machin, Glenn D wrote: > Apparently MacOSX > Heimdahl is set at 1024 and has no (at least that I can find) a krb5.conf > attribute like pkinit_dh_min_bits.
>From a look at the source code, it seems like Heimdal supports a pkinit_dh_min_bits variable in [libdefaults], but only has built-in DH groups at 1024 and 1760 bits. If I'm right, you would need a krb5.moduli file to make it support a 2048-bit group, and I can't find any documentation on how to do that. (To Heimdal's credit, it has supported ECDH PKINIT using P-256 for years now, but that doesn't help you interoperate because MIT krb5 doesn't implement it.) > The MIT KDC minimum is 2048 and even if > you set the kdc.conf pkinit_dh_min_bits to 1024 the source codeĀ¹s minimum > is defined at 2048. This was changed in 1.11.3 and 1.12+; we now allow values as low as 1024 bits to be configured. Be aware that cryptographers believe 1024-bit Diffie-Hellman to be attackable by nation-state adversaries. It seems like a value of 1760 bits might work with OS X clients (even without configuration), so you might consider that instead. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
