Encryption type settings in kdc.conf and krb5.conf
Greg Hudson
ghudson at mit.edu
Mon Jul 27 11:26:32 EDT 2015
On 07/27/2015 10:51 AM, Todd Grayson wrote:
> The question is; how much variation can be tolerated on the configuration
> of encryption type settings within the krb5.conf / kdc.conf
Only what is listed in the "Encryption types" table.
> I constantly see "clipped" values being used and I wonder, is kerberos
> using those, or is it just discarding and going to default behavior at that
> point, and the settings are worthless.
Unrecognized entries are ignored, but we don't discard the entire
setting as a result. If all entries in the list are unrecognized, you
can wind up with an empty enctype list, which should cause the affected
operations to fail.
> Examples of this are:
>
> aes-256 for aes256-cts-hmac-sha1-96
> rc4-hmac for arcfour-hmac-md5
rc4-hmac is in the table and should work. aes-256 is not a recognized
abbreviation. Experimentally, if I set:
[libdefaults]
default_tkt_enctypes = aes-256
then kinit fails:
$ KRB5_TRACE=/dev/stdout kinit user
[5912] 1438010237.103621: Getting initial credentials for
user at KRBTEST.COM
[5912] 1438010237.103688: Unrecognized enctype name in
default_tkt_enctypes: aes-256
[...]
kinit: No supported encryption types (config file error?) while
getting initial credentials
More information about the Kerberos
mailing list