**-e** "*enc*:*salt* ..."
Sets the list of encryption types and salt types to be used for
- any new keys created.
+ any new keys created. See :ref:`Encryption_and_salt_types` in
+ :ref:`kdc.conf(5)` for a list of possible values.
**-O**
Force use of old AUTH_GSSAPI authentication flavor.
realm container.
**-k** *mkeytype*
- Specifies the key type of the master key in the database; the
- default is that given in :ref:`kdc.conf(5)`.
+ Specifies the key type of the master key in the database. The
+ default is given by the **master_key_type** variable in
+ :ref:`kdc.conf(5)`.
**-kv** *mkeyVNO*
Specifies the version number of the master key in the database;
value.
**-k** *mkeytype*
- specifies the key type of the master key in the database; the
- default is that given in :ref:`kdc.conf(5)`.
+ specifies the key type of the master key in the database. The
+ default is given by the **master_key_type** variable in
+ :ref:`kdc.conf(5)`.
**-kv** *mkeyVNO*
Specifies the version number of the master key in the database;
Adds a new master key to the master key principal, but does not mark
it as active. Existing master keys will remain. The **-e** option
-specifies of the encryption type of the new master key. The **-s**
-option stashes the new master key in the stash file, which will be
-created if it doesn't already exist.
+specifies the encryption type of the new master key; see
+:ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list of
+possible values. The **-s** option stashes the new master key in the
+stash file, which will be created if it doesn't already exist.
After a new master key is added, it should be propagated to slave
servers via a manual or periodic invocation of :ref:`kprop(8)`. Then,
+++ /dev/null
-.. _Supported_Encryption_Types_and_Salts:
-
-Supported encryption types and salts
-====================================
-
-Supported encryption types
---------------------------
-
-Any tag in the configuration files which requires a list of encryption
-types can be set to some combination of the following strings.
-Encryption types marked as "weak" are available for compatibility but
-not recommended for use.
-
-==================================================== =========================================================
-des-cbc-crc DES cbc mode with CRC-32 (weak)
-des-cbc-md4 DES cbc mode with RSA-MD4 (weak)
-des-cbc-md5 DES cbc mode with RSA-MD5 (weak)
-des-cbc-raw DES cbc mode raw (weak)
-des3-cbc-raw Triple DES cbc mode raw (weak)
-des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1
-des-hmac-sha1 DES with HMAC/sha1 (weak)
-aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC
-aes128-cts-hmac-sha1-96 aes128-cts AES-128 CTS mode with 96-bit SHA-1 HMAC
-arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
-arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak)
-des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
-des3 The triple DES family: des3-cbc-sha1
-aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
-rc4 The RC4 family: arcfour-hmac
-==================================================== =========================================================
-
-The string **DEFAULT** can be used to refer to the default set of
-types for the variable in question. Types or families can be removed
-from the current list by prefixing them with a minus sign ("-").
-Types or families can be prefixed with a plus sign ("+") for symmetry;
-it has the same meaning as just listing the type or family. For
-example, "``DEFAULT -des``" would be the default set of encryption
-types with DES types removed, and "``des3 DEFAULT``" would be the
-default set of encryption types with triple DES types moved to the
-front.
-
-While **aes128-cts** and **aes256-cts** are supported for all Kerberos
-operations, they are not supported by very old versions of our GSSAPI
-implementation (krb5-1.3.1 and earlier). Services running versions of
-krb5 without AES support must not be given AES keys in the KDC
-database.
-
-
-Salts
------
-
-Kerberos keys for users are usually derived from passwords. To ensure
-that people who happen to pick the same password do not have the same
-key, Kerberos 5 incorporates more information into the key using
-something called a salt. The supported salt types are as follows:
-
-================= ============================================
-normal default for Kerberos Version 5
-v4 the only type used by Kerberos Version 4 (no salt)
-norealm same as the default, without using realm information
-onlyrealm uses only realm information as the salt
-afs3 AFS version 3, only used for compatibility with Kerberos 4 in AFS
-special generate a random salt
-================= ============================================
.. toctree::
:maxdepth: 2
- enc_types.rst
krb5_conf.rst
kdc_conf.rst
**master_key_type**
(Key type string.) Specifies the master key's key type. The
default value for this is ``aes256-cts``. For a list of all
- possible values, see :ref:`Supported_Encryption_Types_and_Salts`.
+ possible values, see :ref:`Encryption_and_salt_types`.
**max_life**
(Delta time string.) Specifies the maximum time period for which
default value for this tag is ``aes256-cts-hmac-sha1-96:normal
aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
arcfour-hmac-md5:normal``. For lists of possible values, see
- :ref:`Supported_Encryption_Types_and_Salts`
+ :ref:`Encryption_and_salt_types`.
.. _logging:
policy is such that up-to-date CRLs must be present for every CA.
+.. _Encryption_and_salt_types:
+
+Encryption and salt types
+-------------------------
+
+Any tag in the configuration files which requires a list of encryption
+types can be set to some combination of the following strings.
+Encryption types marked as "weak" are available for compatibility but
+not recommended for use.
+
+==================================================== =========================================================
+des-cbc-crc DES cbc mode with CRC-32 (weak)
+des-cbc-md4 DES cbc mode with RSA-MD4 (weak)
+des-cbc-md5 DES cbc mode with RSA-MD5 (weak)
+des-cbc-raw DES cbc mode raw (weak)
+des3-cbc-raw Triple DES cbc mode raw (weak)
+des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1
+des-hmac-sha1 DES with HMAC/sha1 (weak)
+aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC
+aes128-cts-hmac-sha1-96 aes128-cts AES-128 CTS mode with 96-bit SHA-1 HMAC
+arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
+arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak)
+des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
+des3 The triple DES family: des3-cbc-sha1
+aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+rc4 The RC4 family: arcfour-hmac
+==================================================== =========================================================
+
+The string **DEFAULT** can be used to refer to the default set of
+types for the variable in question. Types or families can be removed
+from the current list by prefixing them with a minus sign ("-").
+Types or families can be prefixed with a plus sign ("+") for symmetry;
+it has the same meaning as just listing the type or family. For
+example, "``DEFAULT -des``" would be the default set of encryption
+types with DES types removed, and "``des3 DEFAULT``" would be the
+default set of encryption types with triple DES types moved to the
+front.
+
+While **aes128-cts** and **aes256-cts** are supported for all Kerberos
+operations, they are not supported by very old versions of our GSSAPI
+implementation (krb5-1.3.1 and earlier). Services running versions of
+krb5 without AES support must not be given AES keys in the KDC
+database.
+
+Kerberos keys for users are usually derived from passwords. To ensure
+that people who happen to pick the same password do not have the same
+key, Kerberos 5 incorporates more information into the key using
+something called a salt. The supported salt types are as follows:
+
+================= ============================================
+normal default for Kerberos Version 5
+v4 the only type used by Kerberos Version 4 (no salt)
+norealm same as the default, without using realm information
+onlyrealm uses only realm information as the salt
+afs3 AFS version 3, only used for compatibility with Kerberos 4 in AFS
+special generate a random salt
+================= ============================================
+
+
Sample kdc.conf File
--------------------
**allow_weak_crypto**
If this flag is set to false, then weak encryption types will be
filtered out of the previous three lists (as noted in
- :ref:`Supported_Encryption_Types_and_Salts`). The default value
- for this tag is false, which may cause authentication failures in
- existing Kerberos infrastructures that do not support strong
- crypto. Users in affected environments should set this tag to
- true until their infrastructure adopts stronger ciphers.
+ :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)`). The
+ default value for this tag is false, which may cause
+ authentication failures in existing Kerberos infrastructures that
+ do not support strong crypto. Users in affected environments
+ should set this tag to true until their infrastructure adopts
+ stronger ciphers.
**ap_req_checksum_type**
An integer which specifies the type of AP-REQ checksum to use in
**default_tgs_enctypes**
Identifies the supported list of session key encryption types that
should be returned by the KDC. The list may be delimited with
- commas or whitespace. See
- :ref:`Supported_Encryption_Types_and_Salts` for a list of the
- accepted values for this tag. The default value is
- ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
- arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``, but
- single-DES encryption types will be implicitly removed from this
- list if the value of **allow_weak_crypto** is false.
+ commas or whitespace. See :ref:`Encryption_and_salt_types` in
+ :ref:`kdc.conf(5)` for a list of the accepted values for this tag.
+ The default value is ``aes256-cts-hmac-sha1-96
+ aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc
+ des-cbc-md5 des-cbc-md4``, but single-DES encryption types will be
+ implicitly removed from this list if the value of
+ **allow_weak_crypto** is false.
**default_tkt_enctypes**
Identifies the supported list of session key encryption types that
projects / krb5.git / commitdiff