instead of reading it from a stash file.
**-e** "*enc*:*salt* ..."
- Sets the list of encryption types and salt types to be used for
- any new keys created. See :ref:`Encryption_and_salt_types` in
- :ref:`kdc.conf(5)` for a list of possible values.
+ Sets the keysalt list to be used for any new keys created. See
+ :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible
+ values.
**-O**
Force use of old AUTH_GSSAPI authentication flavor.
via the process list.
**-e** *enc*:*salt*,...
- Uses the specified list of enctype-salttype pairs for setting the
- key of the principal.
+ Uses the specified keysalt list for setting the keys of the
+ principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
+ list of possible values.
**-x** *db_princ_args*
Indicates database-specific options. The options for the LDAP
the process list.
**-e** *enc*:*salt*,...
- Uses the specified list of enctype-salttype pairs for setting the
- key of the principal.
+ Uses the specified keysalt list for setting the keys of the
+ principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
+ list of possible values.
**-keepold**
Keeps the existing keys in the database. This flag is usually not
**session_enctypes**
Specifies the encryption types supported for session keys when the
principal is authenticated to as a server. See
- :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list
- of the accepted values.
+ :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the
+ accepted values.
This command requires the **modify** privilege.
**-allowedkeysalts**
Specifies the key/salt tuples supported for long-term keys when
setting or changing a principal's password/keys. See
- :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list
- of the accepted values, but note that key/salt tuples must be
- separated with commas (',') only. To clear the allowed key/salt
- policy use a value of '-'.
+ :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the
+ accepted values, but note that key/salt tuples must be separated
+ with commas (',') only. To clear the allowed key/salt policy use
+ a value of '-'.
Example:
used.
**-e** *enc*:*salt*,...
- Use the specified list of enctype-salttype pairs for setting the
- new keys of the principal.
+ Uses the specified keysalt list for setting the new keys of the
+ principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
+ list of possible values.
**-q**
Display less verbose information.
Adds a new master key to the master key principal, but does not mark
it as active. Existing master keys will remain. The **-e** option
specifies the encryption type of the new master key; see
-:ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list of
-possible values. The **-s** option stashes the new master key in the
-stash file, which will be created if it doesn't already exist.
+:ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible
+values. The **-s** option stashes the new master key in the stash
+file, which will be created if it doesn't already exist.
After a new master key is added, it should be propagated to slave
servers via a manual or periodic invocation of :ref:`kprop(8)`. Then,
**master_key_type**
(Key type string.) Specifies the master key's key type. The
default value for this is |defmkey|. For a list of all possible
- values, see :ref:`Encryption_and_salt_types`.
+ values, see :ref:`Encryption_types`.
**max_life**
(:ref:`duration` string.) Specifies the maximum time period for
combinations of principals for this realm. Any principals created
through :ref:`kadmin(1)` will have keys of these types. The
default value for this tag is |defkeysalts|. For lists of
- possible values, see :ref:`Encryption_and_salt_types`.
+ possible values, see :ref:`Keysalt_lists`.
.. _dbdefaults:
policy is such that up-to-date CRLs must be present for every CA.
-.. _Encryption_and_salt_types:
+.. _Encryption_types:
-Encryption and salt types
--------------------------
+Encryption types
+----------------
Any tag in the configuration files which requires a list of encryption
types can be set to some combination of the following strings.
krb5 without AES support must not be given AES keys in the KDC
database.
-Kerberos keys for users are usually derived from passwords. To ensure
-that people who happen to pick the same password do not have the same
-key, Kerberos 5 incorporates more information into the key using
-something called a salt. The supported salt types are as follows:
+
+.. _Keysalt_lists:
+
+Keysalt lists
+-------------
+
+Kerberos keys for users are usually derived from passwords. Kerberos
+commands and configuration parameters that affect generation of keys
+take lists of enctype-salttype ("keysalt") pairs, known as *keysalt
+lists*. Each keysalt pair is an enctype name followed by a salttype
+name, in the format *enc*:*salt*. Individual keysalt list members are
+separated by comma (",") characters or space characters. For example:
+
+ ::
+
+ kadmin -e aes256-cts:normal,aes128-cts:normal
+
+would start up kadmin so that by default it would generate
+password-derived keys for the **aes256-cts** and **aes128-cts**
+encryption types, using a **normal** salt.
+
+To ensure that people who happen to pick the same password do not have
+the same key, Kerberos 5 incorporates more information into the key
+using something called a salt. The supported salt types are as
+follows:
================= ============================================
normal default for Kerberos Version 5
The libdefaults section may contain any of the following relations:
**allow_weak_crypto**
- If this flag is set to false, then weak encryption types (as noted in
- :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)`) will be filtered
- out of the lists **default_tgs_enctypes**, **default_tkt_enctypes**, and
- **permitted_enctypes**. The default value for this tag is false, which
- may cause authentication failures in existing Kerberos infrastructures
- that do not support strong crypto. Users in affected environments
- should set this tag to true until their infrastructure adopts
- stronger ciphers.
+ If this flag is set to false, then weak encryption types (as noted
+ in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered
+ out of the lists **default_tgs_enctypes**,
+ **default_tkt_enctypes**, and **permitted_enctypes**. The default
+ value for this tag is false, which may cause authentication
+ failures in existing Kerberos infrastructures that do not support
+ strong crypto. Users in affected environments should set this tag
+ to true until their infrastructure adopts stronger ciphers.
**ap_req_checksum_type**
An integer which specifies the type of AP-REQ checksum to use in
Identifies the supported list of session key encryption types that
the client should request when making a TGS-REQ, in order of
preference from highest to lowest. The list may be delimited with
- commas or whitespace. See :ref:`Encryption_and_salt_types` in
+ commas or whitespace. See :ref:`Encryption_types` in
:ref:`kdc.conf(5)` for a list of the accepted values for this tag.
The default value is |defetypes|, but single-DES encryption types
will be implicitly removed from this list if the value of
Enctype compatibility
---------------------
-See :ref:`Encryption_and_salt_types` for additional information about
-enctypes.
+See :ref:`Encryption_types` for additional information about enctypes.
======================= ===== ======== =======
enctype weak? krb5 Windows
Plugin base directory |libdir|\ ``/krb5/plugins``
:ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR**
Master key default enctype |defmkey|
-Supported :ref:`Encryption_and_salt_types` |defkeysalts|
+Default :ref:`keysalt list<Keysalt_lists>` |defkeysalts|
Permitted enctypes |defetypes|
KDC default port 88
Second KDC default port 750
projects / thirdparty / krb5.git / commitdiff
