Kerberos & GSS-API native support on Solaris

Newman, Edward (IDS GNS) edward_newman at
Mon Apr 4 08:32:05 EDT 2005

Can anyone provide a support matrix for Kerberos on Solaris using native
Sun libraries (rather than MIT or Heimdal). I have had particular
difficulty in getting a definitive answer on this. The following appears
to be the case:

Solaris 8
Standard Global encryption versions of Kerberos and GSS-API (libgss)
only provide for DES based integrity. No support for even DES based
encryption or other stronger encryption algorithms (appears to show by
missing GSS_KRB5_CONF_C_QOP_DES in /etc/gss/qop file).

Domestic encryption (possibly added via Solaris Encryption Kit) provides
enhanced DES support for Kerberos. Still no support for RC4-HMAC.

Solaris 9
Global encryption libraries appear to support DES integrity and
encryption. No RC4 support. 

Solaris 10
Kerberos implementation supports many encryption variants through new
Solaris 10 encryption APIs. Includes RC4-HMAC.

Clearly some of above could be resolved by installing MIT libraries and
recompiling against these rather than native implementations. Just
trying to understand what the existing native Solaris support consists

What combination of packages and patches would provide full DES
integrity and encryption on Solaris 8/9? Does someone maintain such an
interoperability matrix for Kerberos? Any chance that Active Directory
will move to AES?

Many thanks,


If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail.

More information about the krbdev mailing list