Encryption type settings in kdc.conf and krb5.conf

Todd Grayson tgrayson at cloudera.com
Mon Jul 27 10:51:10 EDT 2015


The question is; how much variation can be tolerated on the configuration
of encryption type settings within the krb5.conf / kdc.conf

Generally speaking I'm using this as the reference for proper values to set;
(krb5.conf)
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

(kdc.conf)
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html

I constantly see "clipped" values being used and I wonder, is kerberos
using those, or is it just discarding and going to default behavior at that
point, and the settings are worthless.

Examples of this are:

aes-256 for aes256-cts-hmac-sha1-96
rc4-hmac for arcfour-hmac-md5

Are these actually being parsed properly, (the first value, obviously being
the questioned abbreviation...)






-- 
Todd Grayson
Customer Operations Engineering


More information about the Kerberos mailing list