Thanks - tried setting libdefaults pkinit_dh_min_bits = 1760, but got the
error below. It may be a Maverick limitation. I’ll try Yosemite tomorrow.
kinit: krb5_get_init_creds: Did not find a DH group parameter matching
requirement of 1760 bits
Appreciate the help.
Glenn
On 1/18/16, 6:26 PM, "Greg Hudson" <ghud...@mit.edu> wrote:
>On 01/18/2016 07:30 PM, Machin, Glenn D wrote:
>> Apparently MacOSX
>> Heimdahl is set at 1024 and has no (at least that I can find) a
>>krb5.conf
>> attribute like pkinit_dh_min_bits.
>
>From a look at the source code, it seems like Heimdal supports a
>pkinit_dh_min_bits variable in [libdefaults], but only has built-in DH
>groups at 1024 and 1760 bits. If I'm right, you would need a
>krb5.moduli file to make it support a 2048-bit group, and I can't find
>any documentation on how to do that.
>
>(To Heimdal's credit, it has supported ECDH PKINIT using P-256 for years
>now, but that doesn't help you interoperate because MIT krb5 doesn't
>implement it.)
>
>> The MIT KDC minimum is 2048 and even if
>> you set the kdc.conf pkinit_dh_min_bits to 1024 the source code¹s
>>minimum
>> is defined at 2048.
>
>This was changed in 1.11.3 and 1.12+; we now allow values as low as 1024
>bits to be configured. Be aware that cryptographers believe 1024-bit
>Diffie-Hellman to be attackable by nation-state adversaries. It seems
>like a value of 1760 bits might work with OS X clients (even without
>configuration), so you might consider that instead.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
