Kerberos & GSS-API native support on Solaris

Nicolas Williams Nicolas.Williams at sun.com
Mon Apr 4 12:15:46 EDT 2005 

On Mon, Apr 04, 2005 at 01:32:05PM +0100, Newman, Edward (IDS GNS) wrote:
> Can anyone provide a support matrix for Kerberos on Solaris using native
> Sun libraries (rather than MIT or Heimdal). I have had particular
> difficulty in getting a definitive answer on this. The following appears
> to be the case:
> 
> Solaris 8
> Standard Global encryption versions of Kerberos and GSS-API (libgss)
> only provide for DES based integrity. No support for even DES based
> encryption or other stronger encryption algorithms (appears to show by
> missing GSS_KRB5_CONF_C_QOP_DES in /etc/gss/qop file).
> 
> Domestic encryption (possibly added via Solaris Encryption Kit) provides
> enhanced DES support for Kerberos. Still no support for RC4-HMAC.

Solaris 8's implementation of the Kerberos V mechanism supports the DES
enctypes only.

Its "Domestic" Kerberos V mechanism supports confidentiality and
integrity protection.  Its "Global" Kerberos V mechanism supports only
integrity protection.

> Solaris 9
> Global encryption libraries appear to support DES integrity and
> encryption. No RC4 support. 

Solaris 9's implementation of the Kerberos V mechanism supports the DES
enctypes only.

> Solaris 10
> Kerberos implementation supports many encryption variants through new
> Solaris 10 encryption APIs. Includes RC4-HMAC.

Solaris 10's implementation of the Kerberos V mechanism supports a
number of enctypes:

 - DES
 - 3DES
 - RC4-HMAC
 - AES-128
 - AES-256 (with the addition of the supplemental cryptographic
   packages)

> Clearly some of above could be resolved by installing MIT libraries and
> recompiling against these rather than native implementations. Just
> trying to understand what the existing native Solaris support consists
> of.

You can't replace the native Kerberos V implementation for Solaris
native consumers of it (RPCSEC_GSS, pam_krb5, telnet/in.telnetd, ...).

You can replace some, but not all, of the Solaris native consumers of
mech_krb5.  Specifically you cannot replace the RPCSEC_GSS component
(i.e., Secure NFS).

> What combination of packages and patches would provide full DES
> integrity and encryption on Solaris 8/9? Does someone maintain such an
> interoperability matrix for Kerberos? Any chance that Active Directory
> will move to AES?

See above.  For Solaris 8 you need the Domestic version of mech_krb5,
which comes with the Solaris Data Encryption Supplemental CD:

http://www.sun.com/software/solaris/encryption/

IIRC Solaris 9 ships only the domestic mech_krb5.

Nico
--

More information about the krbdev mailing list