use of AES keys with kinit
Ken Raeburn
raeburn at MIT.EDU
Mon Sep 11 16:20:35 EDT 2006
On Sep 11, 2006, at 14:26, Rich Frobose wrote:
> I find that when I have a principal with both a DES key and an AES128
> key then I cannot use kinit to authenticate using a keytab file that
> only has the AES128 key. I would like to know why I cannot
> authenticate through kinit using just my AES128 key.
Currently kinit will not look at the keytab to come up with a list of
encryption types; it just asks for any encryption type it knows
about, and assumes that the KDC can do the right thing. The KDC
assumes that the keytab will have all of the keys, and picks the
first one (they're in a sort of preference order in the database).
We could change kinit to look at the keytab for the enctypes, but it
could also be argued that if the KDC and keytab are not consistent,
your configuration is broken....
> In trying to research this I noticed the following in the latest (Aug
> 4, 2006) "Kerberos V5 application programming library"
> documentation. In the description of the krb5_get_in_tkt call it
> says that "valid encryption types are ETYPE_DES_CBC_CRC and
> ETYPE_RAW_DES_CBC".
That document is very much out of date, I'm afraid.
> Am I to understand that the API used by kinit will use only DES keys
> to get initial tickets? If so, is this just a current implementation
> problem or is there a more basic technical problem that will not let
> kinit be extended to use an AES128 keys?
It should work just fine with AES... confusion about the
configuration aside....
Ken
More information about the Kerberos
mailing list