I've been setting up an environment that uses (non windows) MIT Kerberos to authenticate nodes in a cluster. While I was going through the authentication server's logs, I noticed tons of messages about pre-authentication and AS-REP responses and such. For what it's worth, the principals (users in kerberos slang) are extremely guessable since they have to follow a specific format.
The other problem is that due to java encryption limitations, I have to use extremely weak ciphers (des3-cbc-sha1). I tried installing the JCE Unlimited Policy extensions and it didn't seem to help at all.
– Is it possible to to an ASREPRoast attack on a non-windows Kerberos server? Are there other Windows Kerberos attacks that work on MIT Kerberos?
– Is there anything I can do to defend against this?
– Do I need to set any settings for java to get access to the extra cryptography stuff (the readme just said to overwrite the jar files)? Is there a better Kerberos cipher that's supported by java than des3-cbc-sda1 (arcfour-hmac might be an option)?