The network device has been configured with snmpv3 users which uses AES192 as the privacy protocol.But when the following command is executed
snmpwalk -v3 -l authPriv -u user -a SHA -A authpass -x AES256 -X privpass device_ip:161 oid
It throws the following error
Invalid privacy protocol specified after -x flag: AES256
but when i tried using AES128 encryption the snmpwalk worked perfectly fine,which made me think if AES192&256 features are supported if not why was it not included.
The original SNMP RFC documents do not require those.
Thus, along with other reasons Net-SNMP never supports them,
http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption
Update in 2019: In Aug 2018, net-snap 5.8 introduced support for such, please refer to the same link for more info.
Net-snmp does not support AES 192 or 256. There are many devices (including most Cisco devices) that do support both 192 and 256 bit AES. Manager side software supporting AES 192 and 256 is available from several sources including SNMP Research, LogMatrix, CA, and others.
Even though the original RFC does not require AES192 and AES256, some vendors have implemented them, for example Cisco.
Net-SNMP did not support this until release 5.8 (source):
Does Net-SNMP support AES192 or AES256? The short answer is Yes,
starting with release 5.8 AES193 and AES256 are an optional configure
option.
Other SNMP libraries, such as SNMP4J, also have support for AES256:
https://www.snmp4j.org/doc/org/snmp4j/security/PrivAES256.html
https://stackoverflow.com/a/41833176/1067124
Cisco supports a AES 192 and 256, but I have found no public software that supports the related client calls. These versions are in actual use.
Related
I can connect to a remote host using Kerberos in PuTTY on Windows 10, but I cannot do the same thing in VS Code.
In PuTTY, there is a setting (see below) that specifies the order of GSSAPI libraries:
Since this answer states that Windows "has two Kerberos libraries (MIT KfW & Windows SSPI)", I suspect that VS Code is not defaulting to the correct, MIT Kerberos GSSAPI64.DLL library.
But I can't seem to find any answers online that shows how to specify the preference or order of such libraries in my ssh config file.
Any suggestions are welcome! Thanks in advance.
There is no way to do that.
When VSCode makes an SSH connection, it normally uses the ssh.exe program from OpenSSH rather than using PuTTY.
PuTTY has been deliberately written to load the libraries on the fly (to avoid the .exe having any hard dependencies), so its ability to configure the library paths is there "for free". That's not the case for OpenSSH, however, or even most other Kerberos-using programs – ssh.exe is "hard" linked to one specific library at compile time; it can dynamically load PKCS#11 backends but hasn't been programmed to dynamically load GSSAPI backends.
In addition, Windows SSPI actually provides a different API from that of GSSAPI – the core concepts and flows are the same, but the function names and prototypes differ quite a bit. Again, PuTTY supports both only because it was deliberately written to do so. Standard OpenSSH would only support GSSAPI, and while Microsoft has patched the "in-box" Win32-OpenSSH to use SSPI, it is still one or the other – you can't really make the Windows ssh.exe load MIT libgssapi instead.
There are several workarounds, though:
You can try installing a different OpenSSH build for Windows that does use GSSAPI from MIT Kerberos; perhaps either Cygwin OpenSSH, or the MSYS OpenSSH that's included with Git could work (if it has GSSAPI support at all).
You can try configuring VSCode to run PuTTY's command-line SSH client plink.exe instead of ssh.exe. This likely won't work for interactive shell sessions, but might be able to handle non-interactive ones (such as VSCode Remoting).
You can try using Windows SSPI, as it does not actually require domain membership to work as a Kerberos client – it's enough to save your Kerberos credentials in Windows:
cmdkey /add:*.example.com /user:sam#EXAMPLE.COM /pass
Note that if the realm is not running Active Directory, you also need to mark it as a "MIT realm" as an Administrator (the presence of a "realm flags" setting – even an empty one – is needed to prevent Windows from doing AD-specific Netlogon probes):
ksetup /addrealmflags EXAMPLE.COM TcpSupported
With the password stored, enabling GSSAPIAuthentication yes in your ~.ssh\config will allow Windows OpenSSH (as well as PuTTY with SSPI) to connect using Kerberos to any host matching the specified *.example.com.
I was trying to do an npm install today and ran into an error that looks like this:
The authenticity of host 'github.com (140.82.114.3)' can't be established <trash due to npm overwriting part of the line>
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
I have redacted the actual fingerprint but it was hex digits. In another question some of the answers establish that you should verify the authenticity of this key here. But when I go to this page I see keys in a totally different format:
SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 (RSA)
SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM (ECDSA)
SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU (Ed25519)
I'm assuming since the message I saw mentioned ECDSA I should be trying to compare it to the second value, but beyond this, how do I get this value in the xx:xx:xx... format? You would assume that something important like this would be easy to compare so I'm a bit puzzled as to why there seems to be some excessive friction.
The format you're seeing for your fingerprints is the legacy hex format using MD5. Because MD5 is insecure and no longer suitable for use, since OpenSSH 6.8, fingerprints are printed using SHA-256 and base64. SHA-256 is presently considered secure and is a good choice for a cryptographic hash function.
This probably means that you're using a very old version of OpenSSH, possibly on an unsupported operating system, such as CentOS 6. If your OS is no longer supported, you should upgrade to one receiving security updates for everyone's benefit.
If in the meantime you still need to access GitHub, you can download the actual keys (as well as the fingerprints) from the GitHub API. If you save the ECDSA key into a file, say key, then you can run ssh-keygen -l -f key and it will print the fingerprint for that key in a format you can use.
I am using the keycloak single sign on server and want to enable the kerberos authentication
https://www.keycloak.org/docs/latest/server_admin/index.html#_kerberos
In the documentation they say I have to install a MIT kerberos client on the keycloak server.
As far as I know that the JDK has classes for the kerberos protocol. For example that was one of the exceptions I had
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 93 more
And here is also a reference link.
https://docs.oracle.com/javase/10/security/single-sign-using-kerberos-java1.htm#JSSEC-GUID-D4230975-A28B-4532-B1DD-3C7219A4867F
So My question what is actually the MIT Kerberos client? is it part of the JDK? or is it a library on which the JDK depends?
BTW I am running the keycloak server on a windows machine and did not have to install any extra client.
On Linux, the MIT Kerberos client is an OS package, which includes C libraries and command-line utilities such as kinit, klist, ktutil
on RedHat / CentOS / etc sudo yum install krb5-workstation
on Ubuntu / etc sudo apt-get install krb5-user
On Windows, the OS comes with the Microsoft implementation of Kerberos (as used in Active Directory) which includes a ton of custom extensions and oddities, including a specific "LSA cache" for credentials which is managed by the OS (and which may not be accessible by non-Microsoft apps, depending on OS type and whether or not you have tweaked a registry flag).
But you can install the MIT Kerberos for Windows app that bridges the gap between "standard" and "Microsoft" Kerberos implementations. Somehow.
WARNING >> On Windows you may end with three different klist.exe utilities, which list different ticket caches with different options -- the one bundled with Windows, the one bundled with Java, the one bundled with MIT Kerberos for Windows app; mind your PATH.
This year AMD has released a new series of x86-64 CPUs named RyZen for desktop. RyZen's specification shows it provides new SSE based SHA1 and SHA-256 instructions wiki: Intel SHA extension:
sha1 instructions: SHA1RNDS4, SHA1NEXTE, SHA1MSG1, SHA1MSG2;
sha-256 instructions: SHA256RNDS2, SHA256MSG1, SHA256MSG2
I am curious, Do any of the APIs/Libraries already exist that are able to laverage these instruction for ultra fast hashing to be used in PHP or other server side languages, when you use AMD RyZen CPU ?
If not, when should we expect it to be available ?
Since Intel has provided specification for hardware SHA around year 2013, it seems at least a couple of compilers must have provied support for it.
Support of hardware-accelerated SHA256 was added to openssl 1.0.2 [22 Jan 2015]:
https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=CHANGES
1962 Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
2012 *) Support for new and upcoming Intel processors, including AVX2,
2013 BMI and SHA ISA extensions. This includes additional "stitched"
2014 implementations, AESNI-SHA256 and GCM, and multi-buffer support
2015 for TLS encrypt.
So, with enabled hardware and recent openssl, any php/python library which uses openssl to compute SHA256 may use hardware accelerated SHA256 digest computation (if enabled in the openssl and if this implementation will be selected by the library). And command-line too: openssl dgst -sha256 -binary file_to_be_hashed.
There are some raw bindings of openssl library in php: http://php.net/manual/en/function.openssl-digest.php and OPENSSL_ALGO_SHA256 is there since PHP 5.5: which openssl version support for sha256 in php
Linux Kernel CryptoAPI may use hardware SHA1/SHA2 since 4.4 version: https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.4-Crypto (http://lkml.iu.edu/hypermail/linux/kernel/1511.0/00383.html); but it is unlikely that PHP/other scripting library will use kernel cryptoapi.
I have developed an embedded application running on Freescale FRDM-KL25Z (Cortex-M0) board to connect Android Phone (HTC Tattoo) via ADB (Android Debug Bridge) protocol.
However Google enforced RSA authentication over USB ADB since v4.2.2 (Jelly bean) to improve security recently. That means my design only supports Android devices from v1.5 to v4.2.1.
During A_CNXN message, an A_AUTH message replied from my Galaxy Nexus to get my RSA (key) as black list.
I can not find enough information regarding all RSA authentication used in ADB interface. Such as key length, key storage locations. I can not find related documentation describing the implement detail.
It is possible to deploy RSA authentication on an embedded ARM MCU? So far I found an implementation for LPC1343 (cortex-M3) with limited length integer to RSA calculation (64 bit). However RSA uses at least 512bit in calculation in commercial authentication algorithm.
If no, then I have to change my design to support ADK/AOA with ADK in the same time. But AOA/ADK doesn't support older devices before v2.3.7. It makes things more complex, at least my applications running on Android should be developed in both approaches.
What a mess.
Recently I have evaluted the mbed TLS (mbed-example-tls-benchmark) with STM32F401 (512KB ROM/196KB RAM M4 on 84MHz), its benchmark figure shows RSA2048 can be finished within 2000ms. However it will throw memory malloc error on STM32F103RB (128KB ROM/20KB RAM M3 on 72MHz).
Therefore I draftly concluded, that M3/M4 core can support RSA2048 within acceptable time window, but its memory is a bottleneck. At least we have use 32KB/64KB RAM for RSA/TLS.