[37171] in Kerberos
Re: Encryption type settings in kdc.conf and krb5.conf
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 27 11:26:49 2015
Message-ID: <55B64DA8.9080301@mit.edu>
Date: Mon, 27 Jul 2015 11:26:32 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Todd Grayson <tgrayson@cloudera.com>, kerberos@mit.edu
In-Reply-To: <CALNT6MUD_w0Ax1kTywykCVPXovfkVenDa_XZQtf4hTATsYt+WQ@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 07/27/2015 10:51 AM, Todd Grayson wrote:
> The question is; how much variation can be tolerated on the configuration
> of encryption type settings within the krb5.conf / kdc.conf
Only what is listed in the "Encryption types" table.
> I constantly see "clipped" values being used and I wonder, is kerberos
> using those, or is it just discarding and going to default behavior at that
> point, and the settings are worthless.
Unrecognized entries are ignored, but we don't discard the entire
setting as a result. If all entries in the list are unrecognized, you
can wind up with an empty enctype list, which should cause the affected
operations to fail.
> Examples of this are:
>
> aes-256 for aes256-cts-hmac-sha1-96
> rc4-hmac for arcfour-hmac-md5
rc4-hmac is in the table and should work. aes-256 is not a recognized
abbreviation. Experimentally, if I set:
[libdefaults]
default_tkt_enctypes = aes-256
then kinit fails:
$ KRB5_TRACE=/dev/stdout kinit user
[5912] 1438010237.103621: Getting initial credentials for
user@KRBTEST.COM
[5912] 1438010237.103688: Unrecognized enctype name in
default_tkt_enctypes: aes-256
[...]
kinit: No supported encryption types (config file error?) while
getting initial credentials
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
