Configure Kerberos to use System Crypto Policy
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Kerberos is supported by crypto policy, but it’s configuration may be
set up to ignore it.
To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.
Rationale
Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
rm -f /etc/krb5.conf.d/crypto-policies
ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Configure Kerberos to use System Crypto Policy
file:
src: /etc/crypto-policies/back-ends/krb5.config
path: /etc/krb5.conf.d/crypto-policies
state: link
tags:
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- configure_kerberos_crypto_policy
- configure_strategy
- high_severity
- low_complexity
- low_disruption
- reboot_required
