From: Sam Hartman Date: Fri, 30 May 2003 20:01:31 +0000 (+0000) Subject: Document that we support AES and the constraints on that support X-Git-Tag: krb5-1.4-beta1~909 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=fab16f7cb18461136ab3c63a5301a477f5ceec5e;p=krb5.git Document that we support AES and the constraints on that support Ticket: 1535 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15526 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/ChangeLog b/doc/ChangeLog index fa79ec649..ae17f335e 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,9 @@ +2003-05-30 Sam Hartman + + * admin.texinfo (Supported Encryption Types): Document AES interop issues. + + * support-enc.texinfo: Add AES enctypes + 2003-05-27 Tom Yu * admin.texinfo (realms (kdc.conf)): Update to reflect that diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 314ad1335..7f5aba45a 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -350,6 +350,25 @@ types can be set to some combination of the following strings. @include support-enc.texinfo +While aes128-cts and aes256-cts are supported for all Kerberos +operations, they are not supported by the GSSAPI. AES GSSAPI support +will be added after the necessary standardization work is +completed. + +By default, AES is enabled on clients and application servers. +Because of the lack of support for GSSAPI, AES is disabled in the +default KDC supported_enctypes @ref{kdc.conf}. Sites wishing to use +AES encryption types on their KDCs need to be careful not to give +GSSAPI services AES keys. If GSSAPI services are given AES keys, then +services will start to fail in the future when clients supporting AES +for GSSAPI are deployed before updated servers that support AES for +GSSAPI. Sites may wish to use AES for user keys and for the ticket +granting ticket key, although doing so requires specifying what +encryption types are used as each principal is created. Alternatively +sites can use the default configuration which will make AES support +available in clients and servers but not actually use this support +until a future version of Kerberos adds support to GSSAPI. + @node Salts, krb5.conf, Supported Encryption Types, Configuration Files @section Salts diff --git a/doc/support-enc.texinfo b/doc/support-enc.texinfo index 3f030bad9..ca4e8faab 100644 --- a/doc/support-enc.texinfo +++ b/doc/support-enc.texinfo @@ -16,6 +16,12 @@ DES cbc mode with RSA-MD5 triple DES cbc mode with HMAC/sha1 @item des-hmac-sha1 DES with HMAC/sha1 +@item aes256-cts-hmac-sha1-96 +@itemx aes256-cts +AES-256 CTS mode with 96-bit SHA-1 HMAC +@item aes128-cts-hmac-sha1-96 +@itemx aes128-cts +AES-128 CTS mode with 96-bit SHA-1 HMAC @item arcfour-hmac @itemx rc4-hmac @itemx arcfour-hmac-md5