Nicolas Williams wrote: > On Fri, Jan 04, 2008 at 03:11:30PM -0700, Shawn M Emery wrote: > >> Mark Phalan wrote: >> >>> The manpage, kadmin(1M) refers to kdc.conf(4) as the source of the list >>> of enctypes used with (cpw -e and addprinc -e). >>> The manpage, kdc.conf(4) lists the default for "supported_enctypes" but >>> doesn't explicitly list the possible enctypes. >>> > > Sure it does, at least on my Solaris Nevada system: > > " > [...] Note that, if this relation is not > specified, the default setting is: > > > > aes256-cts-hmac-sha1-96:normal \ (see note below) > aes128-cts-hmac-sha1-96:normal \ > des3-cbc-sha1-kd:normal \ > arcfour-hmac-md5:normal \ > des-cbc-md5:normal > " >
These are not all possible enctypes. >> The supported enc types are documented in krb5.conf and is disjoint from >> the default set with the arcfour-hmac-md5-exp and des-cbc-crc elements. >> > > I don't follow this. > Supported encryption types also include arcfour-hmac-md5-exp and des-cbc-crc. >>> Does the list of default enctypes include all the supported enctypes? If >>> >>> >> No, the supported set is found only in krb5.conf by design. >> > > Hmmm, no, supported_enctypes lives in kdc.conf. IIRC MIT wants to merge > kdc.conf into krb5.conf (yay). > The distinction is supported_enctypes and supported encryption types by the Kerberos mechanism. >>> not where can I find the list of supported enctypes? >>> >> See above. >> > > #define DEFAULT_ENCTYPE_LIST \ > "aes256-cts-hmac-sha1-96:normal " \ > "aes128-cts-hmac-sha1-96:normal " \ > "des3-cbc-hmac-sha1-kd:normal " \ > "arcfour-hmac-md5:normal " \ > "arcfour-hmac-md5-exp:normal " \ > "des-cbc-md5:normal " \ > "des-cbc-crc:normal" > > I.e., all enctypes. > > Note that Solaris Kerberos differs from MIT Kerberos with regard to > supported_enctypes as follows: > > - kadmin(1M)'s ktadd sub-command, on Solaris 10 and up, when called > without a -e option always takes the local permitted_enctypes list > and uses that as the list for -e, as if it had been given > Yes. > - kadmind(1M) does NOT use supported_enctypes when clients call the > randkey RPC that doesn't have the enctype list; instead it defaults > to des-cbc-crc:normal only. That means: Solaris 8 and 9 kadmin ktadd > clients and MIT kadmin ktadd clients used without -e. > s9- and s10+ call different functions in order to create keys with the correct encryption types: s9-: chrand_principal_1_svc() s10+: chrand_principal3_1_svc() Shawn. --
