+2003-05-30 Sam Hartman <hartmans@mit.edu>
+
+ * admin.texinfo (Supported Encryption Types): Document AES interop issues.
+
+ * support-enc.texinfo: Add AES enctypes
+
2003-05-27 Tom Yu <tlyu@mit.edu>
* admin.texinfo (realms (kdc.conf)): Update to reflect that
@include support-enc.texinfo
+While aes128-cts and aes256-cts are supported for all Kerberos
+operations, they are not supported by the GSSAPI. AES GSSAPI support
+will be added after the necessary standardization work is
+completed.
+
+By default, AES is enabled on clients and application servers.
+Because of the lack of support for GSSAPI, AES is disabled in the
+default KDC supported_enctypes @ref{kdc.conf}. Sites wishing to use
+AES encryption types on their KDCs need to be careful not to give
+GSSAPI services AES keys. If GSSAPI services are given AES keys, then
+services will start to fail in the future when clients supporting AES
+for GSSAPI are deployed before updated servers that support AES for
+GSSAPI. Sites may wish to use AES for user keys and for the ticket
+granting ticket key, although doing so requires specifying what
+encryption types are used as each principal is created. Alternatively
+sites can use the default configuration which will make AES support
+available in clients and servers but not actually use this support
+until a future version of Kerberos adds support to GSSAPI.
+
@node Salts, krb5.conf, Supported Encryption Types, Configuration Files
@section Salts
triple DES cbc mode with HMAC/sha1
@item des-hmac-sha1
DES with HMAC/sha1
+@item aes256-cts-hmac-sha1-96
+@itemx aes256-cts
+AES-256 CTS mode with 96-bit SHA-1 HMAC
+@item aes128-cts-hmac-sha1-96
+@itemx aes128-cts
+AES-128 CTS mode with 96-bit SHA-1 HMAC
@item arcfour-hmac
@itemx rc4-hmac
@itemx arcfour-hmac-md5
projects / krb5.git / commitdiff