Kerberized Services and Enctypes
John Hascall
john at iastate.edu
Fri Oct 5 11:02:05 EDT 2007
> >How do I know which key types a service can support?
>From the KDC's perspective, there is no way to know that;
>it falls upon the admin (you) to know that.
Right.
> You could probably generate that yourself just by looking at a release
> history. You might even be able to write a small program that uses the
> krb5 API to determine which enctypes a particular Kerberos library
> supports. I don't think the number of enctypes you care about is large,
> is it? I mean, I think from a practical perspective what you care
> about 3DES, ArcFour, and AES. I would guess ArcFour and AES came in to
> MIT Kerberos around the same time. Might require a little bit of work
> looking at different releases, but it shouldn't take that long.
Thanks Ken.
After some playing around, I came up with the following.
For a staticly linked binary:
# strings -a /httpd/cgi-bin/acropolis | \
? grep -E '(des|arcfour|aes)[0-9]*-(hmac|cbc|sha|cts)'
des3-hmac-sha1:normal des-cbc-crc:normal
des3-cbc-sha1 des-cbc-md5 des-cbc-crc
des-cbc-crc
des-cbc-md4
des-cbc-md5
des-cbc-raw
des3-cbc-raw
des3-cbc-sha1
des3-hmac-sha1
des3-cbc-sha1-kd
des-hmac-sha1
des-cbc
For a dynamically linked one.
# ldd /usr/local/bin/popper | grep k5crypto
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x0000003ee6a00000)
# strings -a /usr/lib64/libk5crypto.so.3 | \
? grep -E '(des|arcfour|aes)[0-9]*-(hmac|cbc|sha|cts)'
des-cbc-crc
des-cbc-md4
des-cbc-md5
des-cbc-raw
des3-cbc-raw
des3-cbc-sha1
des3-hmac-sha1
des3-cbc-sha1-kd
des-hmac-sha1
arcfour-hmac
arcfour-hmac-md5
arcfour-hmac-exp
arcfour-hmac-md5-exp
aes128-cts-hmac-sha1-96
aes128-cts
aes256-cts-hmac-sha1-96
aes256-cts
This may not be perfectly accurate, but I'm guessing it
at least gives me a place to start. A pretty good chance
that my first example isn't going to work with aes, for
example.
John
More information about the Kerberos
mailing list