use of AES keys with kinit
Ken Raeburn
raeburn at MIT.EDU
Mon Sep 11 20:05:16 EDT 2006
On Sep 11, 2006, at 19:18, Tom Simons wrote:
> Is it possible to compile kerberos 1.5 to default to strong
> encryption (AES,
> 3DES), and eliminate the weaker ones entirely?
> I see the ENCTYPEs and CKSUMTYPEs in src/include/krb5/krb5.h - is
> it just a
> matter of removing/reordering them?
Not as a simple configure-time option, but if you go into the krb5
library sources, there's a macro defined in there which has the
compiled-in default list of enctypes; you could remove DES there. Or
you could go into the crypto library and delete or alter the table
entries where it recognizes the names of the DES-based enctypes.
Neither of those will completely cripple all the DES support -- it
could still be found by number, e.g. when processing a received
message using those types, unless you remove the entries from the
table in the crypto library. Even that will still leave (most of?)
the bits used by the Kerberos v4 support intact. But you'd certainly
make it harder to accidentally use DES.
The current compiled-in defaults should cause the stronger enctypes
to be preferred, though, unless you've got configuration data
someplace (config file, key types in existing database entries)
telling it to pick DES first.
Ken
More information about the Kerberos
mailing list