use of AES keys with kinit
Rich Frobose
frobose at llnl.gov
Mon Sep 11 14:26:37 EDT 2006
I find that when I have a principal with both a DES key and an AES128
key then I cannot use kinit to authenticate using a keytab file that
only has the AES128 key. I would like to know why I cannot
authenticate through kinit using just my AES128 key.
The details of my interaction follow:
1. Create the keytab file with just a aes128-cts-hmac-sha1-96:normal key:
kadmin.local: ktadd -k temp.keytab -e
"aes128-cts-hmac-sha1-96:normal" PRINCIPAL
Entry for principal PRINCIPAL with kvno 5, encryption type AES-128 CTS
mode with 96-bit SHA-1 HMAC added to keytab WRFILE:temp.keytab.
2. Try to kinit using that keytab file.
kinit -k -t temp.keytab PRINCIPAL
kinit(v5): Key table entry not found while getting initial credentials
But after adding a des key to the temp.keytab, then the above kinit works.
In trying to research this I noticed the following in the latest (Aug
4, 2006) "Kerberos V5 application programming library"
documentation. In the description of the krb5_get_in_tkt call it
says that "valid encryption types are ETYPE_DES_CBC_CRC and ETYPE_RAW_DES_CBC".
Am I to understand that the API used by kinit will use only DES keys
to get initial tickets? If so, is this just a current implementation
problem or is there a more basic technical problem that will not let
kinit be extended to use an AES128 keys?
More information about the Kerberos
mailing list