"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/admin/enctypes.rst" between
krb5-1.17.1.tar.gz and krb5-1.18.tar.gz

About: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography (MIT implementation). Current release.

enctypes.rst  (krb5-1.17.1):enctypes.rst  (krb5-1.18)
skipping to change at line 49 skipping to change at line 49
TGS-REQ, this list only affects the session key selection. TGS-REQ, this list only affects the session key selection.
.. _session_key_selection: .. _session_key_selection:
Session key selection Session key selection
--------------------- ---------------------
The KDC chooses the session key enctype by taking the intersection of The KDC chooses the session key enctype by taking the intersection of
its **permitted_enctypes** list, the list of long-term keys for the its **permitted_enctypes** list, the list of long-term keys for the
most recent kvno of the service, and the client's requested list of most recent kvno of the service, and the client's requested list of
enctypes. If **allow_weak_crypto** is true, all services are assumed enctypes.
to support des-cbc-crc.
Starting in krb5-1.11, **des_crc_session_supported** in Starting in krb5-1.11, it is possible to set a string attribute on a
:ref:`kdc.conf(5)` allows additional control over whether the KDC service principal to control what session key enctypes the KDC may
issues des-cbc-crc session keys. issue for service tickets for that principal. See :ref:`set_string`
in :ref:`kadmin(1)` for details.
Also starting in krb5-1.11, it is possible to set a string attribute
on a service principal to control what session key enctypes the KDC
may issue for service tickets for that principal. See
:ref:`set_string` in :ref:`kadmin(1)` for details.
Choosing enctypes for a service Choosing enctypes for a service
------------------------------- -------------------------------
Generally, a service should have a key of the strongest Generally, a service should have a key of the strongest
enctype that both it and the KDC support. If the KDC is running a enctype that both it and the KDC support. If the KDC is running a
release earlier than krb5-1.11, it is also useful to generate an release earlier than krb5-1.11, it is also useful to generate an
additional key for each enctype that the service can support. The KDC additional key for each enctype that the service can support. The KDC
will only use the first key in the list of long-term keys for encrypting will only use the first key in the list of long-term keys for encrypting
the service ticket, but the additional long-term keys indicate the the service ticket, but the additional long-term keys indicate the
skipping to change at line 85 skipping to change at line 80
a service principal. a service principal.
Configuration variables Configuration variables
----------------------- -----------------------
The following ``[libdefaults]`` settings in :ref:`krb5.conf(5)` will The following ``[libdefaults]`` settings in :ref:`krb5.conf(5)` will
affect how enctypes are chosen. affect how enctypes are chosen.
**allow_weak_crypto** **allow_weak_crypto**
defaults to *false* starting with krb5-1.8. When *false*, removes defaults to *false* starting with krb5-1.8. When *false*, removes
single-DES enctypes (and other weak enctypes) from weak enctypes from **permitted_enctypes**,
**permitted_enctypes**, **default_tkt_enctypes**, and **default_tkt_enctypes**, and **default_tgs_enctypes**. Do not
**default_tgs_enctypes**. Do not set this to *true* unless the set this to *true* unless the use of weak enctypes is an
use of weak enctypes is an acceptable risk for your environment acceptable risk for your environment and the weak enctypes are
and the weak enctypes are required for backward compatibility. required for backward compatibility.
**permitted_enctypes** **permitted_enctypes**
controls the set of enctypes that a service will accept as session controls the set of enctypes that a service will permit for
keys. session keys and for ticket and authenticator encryption. The KDC
and other programs that access the Kerberos database will ignore
keys of non-permitted enctypes. Starting in release 1.18, this
setting also acts as the default for **default_tkt_enctypes** and
**defaut_tgs_enctypes**.
**default_tkt_enctypes** **default_tkt_enctypes**
controls the default set of enctypes that the Kerberos client controls the default set of enctypes that the Kerberos client
library requests when making an AS-REQ. Do not set this unless library requests when making an AS-REQ. Do not set this unless
required for specific backward compatibility purposes; stale required for specific backward compatibility purposes; stale
values of this setting can prevent clients from taking advantage values of this setting can prevent clients from taking advantage
of new stronger enctypes when the libraries are upgraded. of new stronger enctypes when the libraries are upgraded.
**default_tgs_enctypes** **default_tgs_enctypes**
controls the default set of enctypes that the Kerberos client controls the default set of enctypes that the Kerberos client
skipping to change at line 125 skipping to change at line 124
passwords passwords
Enctype compatibility Enctype compatibility
--------------------- ---------------------
See :ref:`Encryption_types` for additional information about enctypes. See :ref:`Encryption_types` for additional information about enctypes.
========================== ===== ======== ======= ========================== ===== ======== =======
enctype weak? krb5 Windows enctype weak? krb5 Windows
========================== ===== ======== ======= ========================== ===== ======== =======
des-cbc-crc weak all >=2000 des-cbc-crc weak <1.18 >=2000
des-cbc-md4 weak all ? des-cbc-md4 weak <1.18 ?
des-cbc-md5 weak all >=2000 des-cbc-md5 weak <1.18 >=2000
des3-cbc-sha1 >=1.1 none des3-cbc-sha1 >=1.1 none
arcfour-hmac >=1.3 >=2000 arcfour-hmac >=1.3 >=2000
arcfour-hmac-exp weak >=1.3 >=2000 arcfour-hmac-exp weak >=1.3 >=2000
aes128-cts-hmac-sha1-96 >=1.3 >=Vista aes128-cts-hmac-sha1-96 >=1.3 >=Vista
aes256-cts-hmac-sha1-96 >=1.3 >=Vista aes256-cts-hmac-sha1-96 >=1.3 >=Vista
aes128-cts-hmac-sha256-128 >=1.15 none aes128-cts-hmac-sha256-128 >=1.15 none
aes256-cts-hmac-sha384-192 >=1.15 none aes256-cts-hmac-sha384-192 >=1.15 none
camellia128-cts-cmac >=1.9 none camellia128-cts-cmac >=1.9 none
camellia256-cts-cmac >=1.9 none camellia256-cts-cmac >=1.9 none
========================== ===== ======== ======= ========================== ===== ======== =======
krb5 releases 1.8 and later disable the single-DES enctypes by krb5 releases 1.18 and later do not support single-DES. krb5 releases
default. Microsoft Windows releases Windows 7 and later disable 1.8 and later disable the single-DES enctypes by default. Microsoft
single-DES enctypes by default. Windows releases Windows 7 and later disable single-DES enctypes by
default.
 End of changes. 6 change blocks. 
20 lines changed or deleted 19 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)