Apologies everyone - this was a mixed up response by me. Please disregard my discussion on download and compile, I'm discussing a behavior by our install base, not the MIT user community.
On Thu, Feb 25, 2016 at 9:13 AM, Todd Grayson <tgray...@cloudera.com> wrote: > The supported ecnryption types are tied to the kerberos release, which is > tied to the OS release level by our distribution vendors. It is extremely > rare for customers to be compiling / building kerberos on their own. > > > http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults > *permitted_enctypes* > > Note that permitted encyption types for the MIT libraries, REQUIRES the > proper encryption type name be used, abbreviated names are not supported, > whats in that link is the form of the name that will be parsed, invalid > encryption types are ignored and the defaults are applied instead (all the > types) > > Encryption types that are newer in the MIT/AD space are limited by the > support of the JDK, detailed by the JGSS listing: > > > http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html > > Note arcfour-hmac-md5 is also supported (rc4-hmac) > > The JDK can not support the newer CAMELLA encryption types in the RHEL 7.1 > > On Thu, Feb 25, 2016 at 8:39 AM, Simo Sorce <s...@redhat.com> wrote: > >> Not that the Kitten WG is working on standardizing new enctypes for AES >> +HMAC-SHA2, this is the latest draft: >> https://tools.ietf.org/html/draft-ietf-kitten-aes-cts-hmac-sha2-09 >> >> Although it will take a while before all the most common implementations >> will have support for it, and it may never land on older OSs. >> >> Simo. >> >> On Thu, 2016-02-25 at 14:22 +0000, Prashanth Marampally wrote: >> > Yep. Got it! >> > >> > Thanks, >> > Prashanth >> > >> > -----Original Message----- >> > From: Rick van Rein [mailto:r...@openfortress.nl] >> > Sent: Thursday, February 25, 2016 7:50 PM >> > To: Prashanth Marampally >> > Cc: kerberos@mit.edu >> > Subject: Re: Quick question related to Kerberos + AES256 + SHA2 >> > >> > OK, >> > >> > Also note that the hash is not SHA1 but HMAC-SHA1, which is much >> stronger. I didn't make that clear before. >> > >> > -Rick >> > >> > ________________________________________________ >> > Kerberos mailing list Kerberos@mit.edu >> > https://mailman.mit.edu/mailman/listinfo/kerberos >> >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > > -- > Todd Grayson > Business Operations Manager > Customer Operations Engineering > Security SME > > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos