[krbdev.mit.edu #2585] Documentation must be updated for GSS-API AES Support
"Jeffrey Altman [Kermit Project]" via RT
rt-comment at krbdev.mit.edu
Fri Jun 4 13:56:45 EDT 2004
Reported by Seema.Malkani at Sun.COM:
In reference to support for AES encryption type in Kerberos,
the MIT kerberos docs for 1.3.3 doesn't seem to be correct.
krb5-1.3.3 does include support for AES. But the docs mention
AES support in GSS does not exist.
http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/krb5-admin.html
While aes128-cts and aes256-cts are supported for all Kerberos
operations, they are not supported by the GSSAPI. AES GSSAPI support
will be added after the necessary standardization work is completed.
By default, AES is enabled on clients and application servers. Because
of the lack of support for GSSAPI, AES is disabled in the default KDC
supported_enctypes kdc.conf
<http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/krb5-admin.html#kdc.conf>.
Sites wishing to use AES encryption types on their KDCs need to be
careful not to give GSSAPI services AES keys. If GSSAPI services are
given AES keys, then services will start to fail in the future when
clients supporting AES for GSSAPI are deployed before updated servers
that support AES for GSSAPI. Sites may wish to use AES for user keys and
for the ticket granting ticket key, although doing so requires
specifying what encryption types are used as each principal is created.
Alternatively sites can use the default configuration which will make
AES support available in clients and servers but not actually use this
support until a future version of Kerberos adds support to GSSAPI.
Seema
More information about the krb5-bugs
mailing list