encryption types in krb5.conf - Kerberos

This is a discussion on encryption types in krb5.conf - Kerberos ; Hi, I 'm trying to enable use of des3-hmac-sha1 as one of the supported enctypes on a Linux machine. kdc.conf on my Linux machine is as below: master_key_type = des-cbc-crc supported_enctypes = des3-cbc-sha1:normal des-cbc-md5:normal des-cbc-crc:normal Created the database and restarted ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: encryption types in krb5.conf

  1. encryption types in krb5.conf

    Hi,

    I 'm trying to enable use of des3-hmac-sha1 as one of the supported enctypes on a Linux machine.

    kdc.conf on my Linux machine is as below:
    master_key_type = des-cbc-crc
    supported_enctypes = des3-cbc-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

    Created the database and restarted the kerberos services.

    I followed the below steps to run my client/server program that uses this KDC:

    1) Added principals client/hostname and server/hostname to the kerberos database

    2)Listed these principals using getprinc, it showed 3 keys. Each key indicating an encryption type as shown above.

    3) Did a kinit client/hostname and kinit server/hostname from the client by specifying only des3-hmac-sha1 as the default_tgt/tgs_enctype in the client side krb5.conf.

    4) klist -e displayed encryption key as DES3-CBC-SHA1 for both the client and the server. My client/server program worked fine.

    But when I repeated the above steps with "des-cbc-crc des3-cbc-sha1" as the default_tgt/tgs_enctype in the client side krb5.conf, the client/server program failed with GSS Exception and with
    Cryptography key des3-cbc-sha1 not found.

    On doing a klist -e it showed only DES-CBC-CRC.

    Can someone please help me resolve this? What is the order in which the encryption types are picked up on both client side or on the KDC side? Thank You.

    Regards,
    Chandrakala



    *


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: encryption types in krb5.conf

    Hi,

    This nice presentation on kerberos encryption
    types from Will Fiveash should clear your doubts.

    http://www.filibeto.org/~aduritz/tru...ctypes_so8.pdf

    Preetam

    --- chandrakala wrote:

    > Hi,
    >
    > I 'm trying to enable use of des3-hmac-sha1 as one
    > of the supported enctypes on a Linux machine.
    >
    > kdc.conf on my Linux machine is as below:
    > master_key_type = des-cbc-crc
    > supported_enctypes = des3-cbc-sha1:normal
    > des-cbc-md5:normal des-cbc-crc:normal
    >
    > Created the database and restarted the kerberos
    > services.
    >
    > I followed the below steps to run my client/server
    > program that uses this KDC:
    >
    > 1) Added principals client/hostname and
    > server/hostname to the kerberos database
    >
    > 2)Listed these principals using getprinc, it showed
    > 3 keys. Each key indicating an encryption type as
    > shown above.
    >
    > 3) Did a kinit client/hostname and kinit
    > server/hostname from the client by specifying only
    > des3-hmac-sha1 as the default_tgt/tgs_enctype in the
    > client side krb5.conf.
    >
    > 4) klist -e displayed encryption key as
    > DES3-CBC-SHA1 for both the client and the server. My
    > client/server program worked fine.
    >
    > But when I repeated the above steps with
    > "des-cbc-crc des3-cbc-sha1" as the
    > default_tgt/tgs_enctype in the client side
    > krb5.conf, the client/server program failed with GSS
    > Exception and with
    > Cryptography key des3-cbc-sha1 not found.
    >
    > On doing a klist -e it showed only DES-CBC-CRC.
    >
    > Can someone please help me resolve this? What is the
    > order in which the encryption types are picked up on
    > both client side or on the KDC side? Thank You.
    >
    > Regards,
    > Chandrakala
    >
    >
    >
    > *
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >



    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread