Kerberos & GSS-API native support on Solaris
Nicolas.Williams at sun.com
Mon Apr 4 12:15:46 EDT 2005
On Mon, Apr 04, 2005 at 01:32:05PM +0100, Newman, Edward (IDS GNS) wrote:
> Can anyone provide a support matrix for Kerberos on Solaris using native
> Sun libraries (rather than MIT or Heimdal). I have had particular
> difficulty in getting a definitive answer on this. The following appears
> to be the case:
> Solaris 8
> Standard Global encryption versions of Kerberos and GSS-API (libgss)
> only provide for DES based integrity. No support for even DES based
> encryption or other stronger encryption algorithms (appears to show by
> missing GSS_KRB5_CONF_C_QOP_DES in /etc/gss/qop file).
> Domestic encryption (possibly added via Solaris Encryption Kit) provides
> enhanced DES support for Kerberos. Still no support for RC4-HMAC.
Solaris 8's implementation of the Kerberos V mechanism supports the DES
Its "Domestic" Kerberos V mechanism supports confidentiality and
integrity protection. Its "Global" Kerberos V mechanism supports only
> Solaris 9
> Global encryption libraries appear to support DES integrity and
> encryption. No RC4 support.
Solaris 9's implementation of the Kerberos V mechanism supports the DES
> Solaris 10
> Kerberos implementation supports many encryption variants through new
> Solaris 10 encryption APIs. Includes RC4-HMAC.
Solaris 10's implementation of the Kerberos V mechanism supports a
number of enctypes:
- AES-256 (with the addition of the supplemental cryptographic
> Clearly some of above could be resolved by installing MIT libraries and
> recompiling against these rather than native implementations. Just
> trying to understand what the existing native Solaris support consists
You can't replace the native Kerberos V implementation for Solaris
native consumers of it (RPCSEC_GSS, pam_krb5, telnet/in.telnetd, ...).
You can replace some, but not all, of the Solaris native consumers of
mech_krb5. Specifically you cannot replace the RPCSEC_GSS component
(i.e., Secure NFS).
> What combination of packages and patches would provide full DES
> integrity and encryption on Solaris 8/9? Does someone maintain such an
> interoperability matrix for Kerberos? Any chance that Active Directory
> will move to AES?
See above. For Solaris 8 you need the Domestic version of mech_krb5,
which comes with the Solaris Data Encryption Supplemental CD:
IIRC Solaris 9 ships only the domestic mech_krb5.
More information about the krbdev