From fd3a2c5a467a42bbb864e1ddc7fc7f5bda93e339 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 20 Mar 2012 17:39:04 +0000 Subject: [PATCH] Move supported enc/salt type docs to kdc.conf(5) Remove enc_types.rst and move its contents into kdc.conf(5). Adjust references so that man page readers can find the section in the kdc.conf man page. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25780 dc483132-0cff-0310-8789-dd5450dbe970 --- .../admin_commands/kadmin_local.rst | 3 +- .../admin_commands/kdb5_ldap_util.rst | 5 +- .../krb_admins/admin_commands/kdb5_util.rst | 12 ++-- .../krb_admins/conf_files/enc_types.rst | 64 ------------------- .../krb_admins/conf_files/index.rst | 1 - .../krb_admins/conf_files/kdc_conf.rst | 63 +++++++++++++++++- .../krb_admins/conf_files/krb5_conf.rst | 25 ++++---- 7 files changed, 86 insertions(+), 87 deletions(-) delete mode 100644 doc/rst_source/krb_admins/conf_files/enc_types.rst diff --git a/doc/rst_source/krb_admins/admin_commands/kadmin_local.rst b/doc/rst_source/krb_admins/admin_commands/kadmin_local.rst index 8e85300d7..ec90cff39 100644 --- a/doc/rst_source/krb_admins/admin_commands/kadmin_local.rst +++ b/doc/rst_source/krb_admins/admin_commands/kadmin_local.rst @@ -128,7 +128,8 @@ OPTIONS **-e** "*enc*:*salt* ..." Sets the list of encryption types and salt types to be used for - any new keys created. + any new keys created. See :ref:`Encryption_and_salt_types` in + :ref:`kdc.conf(5)` for a list of possible values. **-O** Force use of old AUTH_GSSAPI authentication flavor. diff --git a/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst index 2399024bd..2ff1a0466 100644 --- a/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst +++ b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst @@ -86,8 +86,9 @@ Creates realm in directory. Options: realm container. **-k** *mkeytype* - Specifies the key type of the master key in the database; the - default is that given in :ref:`kdc.conf(5)`. + Specifies the key type of the master key in the database. The + default is given by the **master_key_type** variable in + :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; diff --git a/doc/rst_source/krb_admins/admin_commands/kdb5_util.rst b/doc/rst_source/krb_admins/admin_commands/kdb5_util.rst index 9184df17b..e454a7c53 100644 --- a/doc/rst_source/krb_admins/admin_commands/kdb5_util.rst +++ b/doc/rst_source/krb_admins/admin_commands/kdb5_util.rst @@ -52,8 +52,9 @@ COMMAND-LINE OPTIONS value. **-k** *mkeytype* - specifies the key type of the master key in the database; the - default is that given in :ref:`kdc.conf(5)`. + specifies the key type of the master key in the database. The + default is given by the **master_key_type** variable in + :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; @@ -260,9 +261,10 @@ add_mkey Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The **-e** option -specifies of the encryption type of the new master key. The **-s** -option stashes the new master key in the stash file, which will be -created if it doesn't already exist. +specifies the encryption type of the new master key; see +:ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list of +possible values. The **-s** option stashes the new master key in the +stash file, which will be created if it doesn't already exist. After a new master key is added, it should be propagated to slave servers via a manual or periodic invocation of :ref:`kprop(8)`. Then, diff --git a/doc/rst_source/krb_admins/conf_files/enc_types.rst b/doc/rst_source/krb_admins/conf_files/enc_types.rst deleted file mode 100644 index a337339c9..000000000 --- a/doc/rst_source/krb_admins/conf_files/enc_types.rst +++ /dev/null @@ -1,64 +0,0 @@ -.. _Supported_Encryption_Types_and_Salts: - -Supported encryption types and salts -==================================== - -Supported encryption types --------------------------- - -Any tag in the configuration files which requires a list of encryption -types can be set to some combination of the following strings. -Encryption types marked as "weak" are available for compatibility but -not recommended for use. - -==================================================== ========================================================= -des-cbc-crc DES cbc mode with CRC-32 (weak) -des-cbc-md4 DES cbc mode with RSA-MD4 (weak) -des-cbc-md5 DES cbc mode with RSA-MD5 (weak) -des-cbc-raw DES cbc mode raw (weak) -des3-cbc-raw Triple DES cbc mode raw (weak) -des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 -des-hmac-sha1 DES with HMAC/sha1 (weak) -aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC -aes128-cts-hmac-sha1-96 aes128-cts AES-128 CTS mode with 96-bit SHA-1 HMAC -arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 -arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) -des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) -des3 The triple DES family: des3-cbc-sha1 -aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 -rc4 The RC4 family: arcfour-hmac -==================================================== ========================================================= - -The string **DEFAULT** can be used to refer to the default set of -types for the variable in question. Types or families can be removed -from the current list by prefixing them with a minus sign ("-"). -Types or families can be prefixed with a plus sign ("+") for symmetry; -it has the same meaning as just listing the type or family. For -example, "``DEFAULT -des``" would be the default set of encryption -types with DES types removed, and "``des3 DEFAULT``" would be the -default set of encryption types with triple DES types moved to the -front. - -While **aes128-cts** and **aes256-cts** are supported for all Kerberos -operations, they are not supported by very old versions of our GSSAPI -implementation (krb5-1.3.1 and earlier). Services running versions of -krb5 without AES support must not be given AES keys in the KDC -database. - - -Salts ------ - -Kerberos keys for users are usually derived from passwords. To ensure -that people who happen to pick the same password do not have the same -key, Kerberos 5 incorporates more information into the key using -something called a salt. The supported salt types are as follows: - -================= ============================================ -normal default for Kerberos Version 5 -v4 the only type used by Kerberos Version 4 (no salt) -norealm same as the default, without using realm information -onlyrealm uses only realm information as the salt -afs3 AFS version 3, only used for compatibility with Kerberos 4 in AFS -special generate a random salt -================= ============================================ diff --git a/doc/rst_source/krb_admins/conf_files/index.rst b/doc/rst_source/krb_admins/conf_files/index.rst index 5101282ff..2dc83de75 100644 --- a/doc/rst_source/krb_admins/conf_files/index.rst +++ b/doc/rst_source/krb_admins/conf_files/index.rst @@ -10,6 +10,5 @@ Configuration Files .. toctree:: :maxdepth: 2 - enc_types.rst krb5_conf.rst kdc_conf.rst diff --git a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst index c9fd1a8c4..1a3bb451d 100644 --- a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst @@ -251,7 +251,7 @@ subsection: **master_key_type** (Key type string.) Specifies the master key's key type. The default value for this is ``aes256-cts``. For a list of all - possible values, see :ref:`Supported_Encryption_Types_and_Salts`. + possible values, see :ref:`Encryption_and_salt_types`. **max_life** (Delta time string.) Specifies the maximum time period for which @@ -306,7 +306,7 @@ subsection: default value for this tag is ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``. For lists of possible values, see - :ref:`Supported_Encryption_Types_and_Salts` + :ref:`Encryption_and_salt_types`. .. _logging: @@ -583,6 +583,65 @@ For information about the syntax of some of these options, see policy is such that up-to-date CRLs must be present for every CA. +.. _Encryption_and_salt_types: + +Encryption and salt types +------------------------- + +Any tag in the configuration files which requires a list of encryption +types can be set to some combination of the following strings. +Encryption types marked as "weak" are available for compatibility but +not recommended for use. + +==================================================== ========================================================= +des-cbc-crc DES cbc mode with CRC-32 (weak) +des-cbc-md4 DES cbc mode with RSA-MD4 (weak) +des-cbc-md5 DES cbc mode with RSA-MD5 (weak) +des-cbc-raw DES cbc mode raw (weak) +des3-cbc-raw Triple DES cbc mode raw (weak) +des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 +des-hmac-sha1 DES with HMAC/sha1 (weak) +aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC +aes128-cts-hmac-sha1-96 aes128-cts AES-128 CTS mode with 96-bit SHA-1 HMAC +arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 +arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) +des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) +des3 The triple DES family: des3-cbc-sha1 +aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 +rc4 The RC4 family: arcfour-hmac +==================================================== ========================================================= + +The string **DEFAULT** can be used to refer to the default set of +types for the variable in question. Types or families can be removed +from the current list by prefixing them with a minus sign ("-"). +Types or families can be prefixed with a plus sign ("+") for symmetry; +it has the same meaning as just listing the type or family. For +example, "``DEFAULT -des``" would be the default set of encryption +types with DES types removed, and "``des3 DEFAULT``" would be the +default set of encryption types with triple DES types moved to the +front. + +While **aes128-cts** and **aes256-cts** are supported for all Kerberos +operations, they are not supported by very old versions of our GSSAPI +implementation (krb5-1.3.1 and earlier). Services running versions of +krb5 without AES support must not be given AES keys in the KDC +database. + +Kerberos keys for users are usually derived from passwords. To ensure +that people who happen to pick the same password do not have the same +key, Kerberos 5 incorporates more information into the key using +something called a salt. The supported salt types are as follows: + +================= ============================================ +normal default for Kerberos Version 5 +v4 the only type used by Kerberos Version 4 (no salt) +norealm same as the default, without using realm information +onlyrealm uses only realm information as the salt +afs3 AFS version 3, only used for compatibility with Kerberos 4 in AFS +special generate a random salt +================= ============================================ + + Sample kdc.conf File -------------------- diff --git a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst index 83027a011..16b122a12 100644 --- a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst @@ -99,11 +99,12 @@ The libdefaults section may contain any of the following relations: **allow_weak_crypto** If this flag is set to false, then weak encryption types will be filtered out of the previous three lists (as noted in - :ref:`Supported_Encryption_Types_and_Salts`). The default value - for this tag is false, which may cause authentication failures in - existing Kerberos infrastructures that do not support strong - crypto. Users in affected environments should set this tag to - true until their infrastructure adopts stronger ciphers. + :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)`). The + default value for this tag is false, which may cause + authentication failures in existing Kerberos infrastructures that + do not support strong crypto. Users in affected environments + should set this tag to true until their infrastructure adopts + stronger ciphers. **ap_req_checksum_type** An integer which specifies the type of AP-REQ checksum to use in @@ -145,13 +146,13 @@ The libdefaults section may contain any of the following relations: **default_tgs_enctypes** Identifies the supported list of session key encryption types that should be returned by the KDC. The list may be delimited with - commas or whitespace. See - :ref:`Supported_Encryption_Types_and_Salts` for a list of the - accepted values for this tag. The default value is - ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 - arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``, but - single-DES encryption types will be implicitly removed from this - list if the value of **allow_weak_crypto** is false. + commas or whitespace. See :ref:`Encryption_and_salt_types` in + :ref:`kdc.conf(5)` for a list of the accepted values for this tag. + The default value is ``aes256-cts-hmac-sha1-96 + aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc + des-cbc-md5 des-cbc-md4``, but single-DES encryption types will be + implicitly removed from this list if the value of + **allow_weak_crypto** is false. **default_tkt_enctypes** Identifies the supported list of session key encryption types that -- 2.26.2