================= ============================================
normal default for Kerberos Version 5
-v4 the only type used by Kerberos Version 4 (no salt)
norealm same as the default, without using realm information
onlyrealm uses only realm information as the salt
-afs3 AFS version 3, only used for compatibility with Kerberos 4 in AFS
special generate a random salt
================= ============================================
/* Salt types */
#define KRB5_KDB_SALTTYPE_NORMAL 0
-#define KRB5_KDB_SALTTYPE_V4 1
+/* #define KRB5_KDB_SALTTYPE_V4 1 */
#define KRB5_KDB_SALTTYPE_NOREALM 2
#define KRB5_KDB_SALTTYPE_ONLYREALM 3
#define KRB5_KDB_SALTTYPE_SPECIAL 4
-#define KRB5_KDB_SALTTYPE_AFS3 5
+/* #define KRB5_KDB_SALTTYPE_AFS3 5 */
#define KRB5_KDB_SALTTYPE_CERTHASH 6
/* Attributes */
kadmind_port = 1751
kpasswd_port = 1752
master_key_type = des3-hmac-sha1
- supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal des-cbc-raw:normal
+ supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal
}
return add_pa_data_element(pa_list, pa);
}
-/* Add PW-SALT or AFS3-SALT entries to pa_list as appropriate for the request
- * and client principal. */
+/* Add PW-SALT entries to pa_list as appropriate for the request and client
+ * principal. */
static krb5_error_code
add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock,
krb5_pa_data ***pa_list)
if (ret)
return 0;
- if (salttype == KRB5_KDB_SALTTYPE_AFS3) {
- ret = alloc_pa_data(KRB5_PADATA_AFS3_SALT, salt->length + 1, &pa);
- if (ret)
- goto cleanup;
- memcpy(pa->contents, salt->data, salt->length);
- pa->contents[salt->length] = '\0';
- } else {
- /* Steal memory from salt to make the pa-data entry. */
- ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa);
- if (ret)
- goto cleanup;
- pa->length = salt->length;
- pa->contents = (uint8_t *)salt->data;
- salt->data = NULL;
- }
+ /* Steal memory from salt to make the pa-data entry. */
+ ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa);
+ if (ret)
+ goto cleanup;
+ pa->length = salt->length;
+ pa->contents = (uint8_t *)salt->data;
+ salt->data = NULL;
/* add_pa_data_element() claims pa on success or failure. */
ret = add_pa_data_element(pa_list, pa);
&salttype, &salt);
if (retval)
goto cleanup;
- if (etype_info2 && salttype == KRB5_KDB_SALTTYPE_AFS3) {
- switch (etype) {
- case ENCTYPE_DES_CBC_CRC:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- retval = alloc_data(&entry->s2kparams, 1);
- if (retval)
- goto cleanup;
- entry->s2kparams.data[0] = 1;
- break;
- default:
- break;
- }
- }
entry->length = salt->length;
entry->salt = (unsigned char *)salt->data;
# I'd like to specify a long list of keysalt tuples and make sure
# that chpass does the right thing, but we can only use those
- # enctypes that krbtgt has a key for: des-cbc-crc:normal and
- # des-cbc-crc:v4, according to the prototype kdc.conf.
+ # enctypes that krbtgt has a key for: des-cbc-crc:normal
+ # according to the prototype kdc.conf.
if {! [cmd [format {
kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
}
# XXX Perhaps I should actually check the key type returned.
- if {$num_keys == 3} {
+ if {$num_keys == 2} {
pass "$test"
} else {
- fail "$test: $num_keys keys, should be 3"
+ fail "$test: $num_keys keys, should be 2"
}
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
}
set failed 0
- if {$num_keys != 3} {
- fail "$test: num_keys $num_keys should be 3"
+ if {$num_keys != 2} {
+ fail "$test: num_keys $num_keys should be 2"
set failed 1
}
for {set i 0} {$i < $num_keys} {incr i} {
if (retval)
return retval;
break;
- case KRB5_KDB_SALTTYPE_V4:
- sdata = empty_data();
- break;
case KRB5_KDB_SALTTYPE_NOREALM:
retval = krb5_principal2salt_norealm(context, princ, &sdata);
if (retval)
return retval;
break;
- case KRB5_KDB_SALTTYPE_AFS3:
case KRB5_KDB_SALTTYPE_ONLYREALM:
return krb5_copy_data(context, &princ->realm, salt_out);
case KRB5_KDB_SALTTYPE_SPECIAL:
krb5_keysalt key_salt;
krb5_keyblock key;
krb5_data pwd;
- krb5_data afs_params = string2data("\1"), *s2k_params;
int i, j;
krb5_key_data *kd_slot;
krb5_boolean similar;
similar = 0;
- s2k_params = NULL;
/*
* We could use krb5_keysalt_iterate to replace this loop, or use
&key_salt.data)))
return(retval);
break;
- case KRB5_KDB_SALTTYPE_V4:
- key_salt.data.length = 0;
- key_salt.data.data = 0;
- break;
- case KRB5_KDB_SALTTYPE_AFS3:
- retval = krb5int_copy_data_contents(context,
- &db_entry->princ->realm,
- &key_salt.data);
- if (retval)
- return retval;
- s2k_params = &afs_params;
- break;
case KRB5_KDB_SALTTYPE_SPECIAL:
retval = make_random_salt(context, &key_salt);
if (retval)
retval = krb5_c_string_to_key_with_params(context,
ks_tuple[i].ks_enctype,
&pwd, &key_salt.data,
- s2k_params, &key);
+ NULL, &key);
if (retval) {
free(key_salt.data.data);
return retval;
#include "kdb.h"
static const struct salttype_lookup_entry salttype_table[] = {
{ KRB5_KDB_SALTTYPE_NORMAL, "normal" },
- { KRB5_KDB_SALTTYPE_V4, "v4", },
{ KRB5_KDB_SALTTYPE_NOREALM, "norealm", },
{ KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", },
{ KRB5_KDB_SALTTYPE_SPECIAL, "special", },
- { KRB5_KDB_SALTTYPE_AFS3, "afs3", },
};
static const int salttype_table_nents = sizeof(salttype_table)/
sizeof(salttype_table[0]);
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
'pexp'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth',
- 'pafs'])
# Extract the explicit salt values from the database.
out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
realm.run(['./t_get_etype_info', 'pexp'],
expected_msg='etype: aes256-cts\nsalt: ' + pexp_salt + '\n')
-msg = 'etype: des-cbc-crc\nsalt: KRBTEST.COM\ns2kparams: 01\n'
-realm.run(['./t_get_etype_info', 'afs'], expected_msg=msg)
-realm.run(['./t_get_etype_info', 'pafs'], expected_msg=msg)
-
success('krb5_get_etype_info() tests')
.\" Man page generated from reStructuredText.
.
-.TH "KDC.CONF" "5" " " "1.17" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.18" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.
T}
_
T{
-v4
-T} T{
-the only type used by Kerberos Version 4 (no salt)
-T}
-_
-T{
norealm
T} T{
same as the default, without using realm information
T}
_
T{
-afs3
-T} T{
-AFS version 3, only used for compatibility with Kerberos 4 in AFS
-T}
-_
-T{
special
T} T{
generate a random salt
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2018, MIT
+1985-2019, MIT
.\" Generated by docutils manpage writer.
.
{master_key_type=aes256-cts-hmac-sha1-96}
{dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]}
}
- {
- des-v4
- mode=udp
- des3_krbtgt=0
- {supported_enctypes=des-cbc-crc:v4}
- {default_tkt_enctypes(client)=des-cbc-crc}
- {dummy=[verbose -log "DES TGT, DES-CRC enctype, V4 salt"]}
- }
- {
- des-md5-v4
- mode=udp
- des3_krbtgt=0
- {supported_enctypes=des-cbc-md5:v4 des-cbc-crc:v4}
- {default_tkt_enctypes(client)=des-cbc-md5 des-cbc-crc}
- {dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]}
- }
{
all-enctypes
mode=udp
aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \
des3-cbc-sha1:normal des3-cbc-sha1:none \
des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
- des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \
}
{dummy=[verbose -log "DES3 TGT, default enctypes"]}
}
from k5test import *
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-crc:afs3'
+supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
conf = {'libdefaults': {'allow_weak_crypto': 'true'},
'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
test_etinfo('preauthuser', 'rc4 aes256-cts',
['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])
-# AFS3 salt for DES enctypes is conveyed using s2kparams in
-# PA-ETYPE-INFO2, not at all in PA-ETYPE-INFO, and with a special padata
-# type instead of PA-PW-SALT.
-test_etinfo('user', 'des-cbc-crc rc4',
- ['asrep etype_info2 des-cbc-crc KRBTEST.COM 01',
- 'asrep etype_info des-cbc-crc KRBTEST.COM',
- 'asrep afs3_salt KRBTEST.COM'])
-test_etinfo('preauthuser', 'des-cbc-crc rc4',
- ['error etype_info2 des-cbc-crc KRBTEST.COM 01',
- 'error etype_info des-cbc-crc KRBTEST.COM'])
-
-# DES keys can be used with other DES enctypes. The requested enctype
-# shows up in the etype-info, not the database key enctype.
-test_etinfo('user', 'des-cbc-md4 rc4',
- ['asrep etype_info2 des-cbc-md4 KRBTEST.COM 01',
- 'asrep etype_info des-cbc-md4 KRBTEST.COM',
- 'asrep afs3_salt KRBTEST.COM'])
-test_etinfo('user', 'des-cbc-md5 rc4',
- ['asrep etype_info2 des KRBTEST.COM 01',
- 'asrep etype_info des KRBTEST.COM',
- 'asrep afs3_salt KRBTEST.COM'])
-
# If no keys are found matching the request enctypes, a
# preauth-required error can be generated with no etype-info at all
# (to allow for preauth mechs which don't depend on long-term keys).
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
'pexp'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth',
- 'pafs'])
# Extract one of the explicit salt values from the database.
out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
test_addent(realm, 'default', '-f -e aes128-cts')
test_addent(realm, 'exp', '-f')
test_addent(realm, 'pexp', '-f')
-test_addent(realm, 'afs', '-f')
-test_addent(realm, 'pafs', '-f')
success('Keytab-related tests')
success('Keytab-related tests')
enctype = "aes128-cts"
realm = K5Realm(create_host=False, create_user=False)
-salttypes = ('normal', 'v4', 'norealm', 'onlyrealm')
+salttypes = ('normal', 'norealm', 'onlyrealm')
# For a variety of salt types, test that we can rename a principal and
# still get tickets with the same password.
realm.run([kadminl, 'delprinc', 'user'])
# Enctype/salt pairs chosen with non-default salt types.
-# The enctypes are mostly arbitrary, though afs3 must only be used with des.
-# We do not enforce that v4 salts must only be used with des, but it seems
-# like a good idea.
-salts = [('des-cbc-crc', 'afs3'),
- ('des3-cbc-sha1', 'norealm'),
+# The enctypes are mostly arbitrary.
+salts = [('des3-cbc-sha1', 'norealm'),
('arcfour-hmac', 'onlyrealm'),
- ('des-cbc-crc', 'v4'),
('aes128-cts-hmac-sha1-96', 'special')]
# These enctypes are chosen to cover the different string-to-key routines.
# Omit ":normal" from aes256 to check that salttype defaulting works.
for ks in dup_kstypes:
test_dup(realm, ks)
-# Attempt to create a principal with a non-des enctype and the afs3 salt,
-# verifying that the expected error is received and the principal creation
-# fails.
-def test_reject_afs3(realm, etype):
- query = 'ank -e ' + etype + ':afs3 -pw password princ1'
- realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password',
- 'princ1'], expected_code=1,
- expected_msg='Invalid key generation parameters from KDC')
- realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1,
- expected_msg='Principal does not exist')
-
-# Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes.
-# We do not currently do any verification on the key-generation parameters
-# for the triple-DES enctypes, so that test is commented out.
-test_reject_afs3(realm, 'arcfour-hmac')
-test_reject_afs3(realm, 'aes256-cts-hmac-sha1-96')
-#test_reject_afs3(realm, 'des3-cbc-sha1')
-
success("Salt types")
# No special settings; exercises AES256.
('default', None, None, None),
- # Exercise a DES enctype and the v4 salt type.
- ('desv4', None,
- {'libdefaults': {
- 'default_tgs_enctypes': 'des-cbc-crc',
- 'default_tkt_enctypes': 'des-cbc-crc',
- 'permitted_enctypes': 'des-cbc-crc',
- 'allow_weak_crypto': 'true'}},
- {'realms': {'$realm': {
- 'supported_enctypes': 'des-cbc-crc:v4',
- 'master_key_type': 'des-cbc-crc'}}}),
-
# Exercise the DES3 enctype.
('des3', None,
{'libdefaults': {
projects / thirdparty / krb5.git / commitdiff
