preference from highest to lowest. The list may be delimited with
commas or whitespace. See :ref:`Encryption_types` in
:ref:`kdc.conf(5)` for a list of the accepted values for this tag.
- The default value is |defetypes|.
+ Starting in release 1.18, the default value is the value of
+ **permitted_enctypes**. For previous releases or if
+ **permitted_enctypes** is not set, the default value is
+ |defetypes|.
Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
Identifies the supported list of session key encryption types that
the client should request when making an AS-REQ, in order of
preference from highest to lowest. The format is the same as for
- default_tgs_enctypes. The default value for this tag is
- |defetypes|.
+ default_tgs_enctypes. Starting in release 1.18, the default
+ value is the value of **permitted_enctypes**. For previous
+ releases or if **permitted_enctypes** is not set, the default
+ value is |defetypes|.
Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
used across NATs. The default value is true.
**permitted_enctypes**
- Identifies all encryption types that are permitted for use in
- session key encryption. The default value for this tag is
- |defetypes|.
+ Identifies the encryption types that servers will permit for
+ session keys and for ticket and authenticator encryption, ordered
+ by preference from highest to lowest. Starting in release 1.18,
+ this tag also acts as the default value for
+ **default_tgs_enctypes** and **default_tkt_enctypes**. The
+ default value for this tag is |defetypes|.
**plugin_base_dir**
If set, determines the base directory where krb5 plugins are
required for backward compatibility.
**permitted_enctypes**
- controls the set of enctypes that a service will accept as session
- keys.
+ controls the set of enctypes that a service will permit for
+ session keys and for ticket and authenticator encryption. The KDC
+ and other programs that access the Kerberos database will ignore
+ keys of non-permitted enctypes. Starting in release 1.18, this
+ setting also acts as the default for **default_tkt_enctypes** and
+ **defaut_tgs_enctypes**.
**default_tkt_enctypes**
controls the default set of enctypes that the Kerberos client
if (list == NULL)
return ENOMEM;
- *result = list;
- return 0;
-}
-
-/*
- * Set *etypes_ptr to a zero-terminated list of enctypes. ctx_list
- * (containing application-specified enctypes) is used if non-NULL;
- * otherwise the libdefaults profile string specified by profkey is
- * used. default_list is the default enctype list to be used while
- * parsing profile strings, and is also used if the profile string is
- * not set.
- */
-static krb5_error_code
-get_profile_etype_list(krb5_context context, krb5_enctype **etypes_ptr,
- char *profkey, krb5_enctype *ctx_list,
- krb5_enctype *default_list)
-{
- krb5_enctype *etypes;
- krb5_error_code code;
- char *profstr;
-
- *etypes_ptr = NULL;
-
- if (ctx_list) {
- /* Use application defaults. */
- code = k5_copy_etypes(ctx_list, &etypes);
- if (code)
- return code;
- } else {
- /* Parse profile setting, or "DEFAULT" if not specified. */
- code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
- profkey, NULL, "DEFAULT", &profstr);
- if (code)
- return code;
- code = krb5int_parse_enctype_list(context, profkey, profstr,
- default_list, &etypes);
- profile_release_string(profstr);
- if (code)
- return code;
- }
-
- if (etypes[0] == 0) {
- free(etypes);
+ if (list[0] == ENCTYPE_NULL) {
+ free(list);
return KRB5_CONFIG_ETYPE_NOSUPP;
}
-
- *etypes_ptr = etypes;
+ *result = list;
return 0;
}
krb5_error_code
krb5_get_default_in_tkt_ktypes(krb5_context context, krb5_enctype **ktypes)
{
- return get_profile_etype_list(context, ktypes,
- KRB5_CONF_DEFAULT_TKT_ENCTYPES,
- context->in_tkt_etypes,
- default_enctype_list);
+ krb5_error_code ret;
+ char *profstr = NULL;
+ const char *profkey;
+
+ *ktypes = NULL;
+
+ if (context->in_tkt_etypes != NULL)
+ return k5_copy_etypes(context->in_tkt_etypes, ktypes);
+
+ profkey = KRB5_CONF_DEFAULT_TKT_ENCTYPES;
+ ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
+ profkey, NULL, NULL, &profstr);
+ if (ret)
+ return ret;
+ if (profstr == NULL) {
+ profkey = KRB5_CONF_PERMITTED_ENCTYPES;
+ ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
+ profkey, NULL, "DEFAULT", &profstr);
+ if (ret)
+ return ret;
+ }
+
+ ret = krb5int_parse_enctype_list(context, profkey, profstr,
+ default_enctype_list, ktypes);
+ profile_release_string(profstr);
+ return ret;
}
void
free (val);
}
-krb5_error_code
-KRB5_CALLCONV
-krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes)
+krb5_error_code KRB5_CALLCONV
+krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ,
+ krb5_enctype **ktypes)
{
- if (context->use_conf_ktypes)
- /* This one is set *only* by reading the config file; it's not
- set by the application. */
- return get_profile_etype_list(context, ktypes,
- KRB5_CONF_DEFAULT_TGS_ENCTYPES, NULL,
- default_enctype_list);
- else
- return get_profile_etype_list(context, ktypes,
- KRB5_CONF_DEFAULT_TGS_ENCTYPES,
- context->tgs_etypes,
- default_enctype_list);
+ krb5_error_code ret;
+ char *profstr = NULL;
+ const char *profkey;
+
+ *ktypes = NULL;
+
+ /* Use only profile configuration when use_conf_ktypes is set. */
+ if (!context->use_conf_ktypes && context->tgs_etypes != NULL)
+ return k5_copy_etypes(context->tgs_etypes, ktypes);
+
+ profkey = KRB5_CONF_DEFAULT_TGS_ENCTYPES;
+ ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
+ profkey, NULL, NULL, &profstr);
+ if (ret)
+ return ret;
+ if (profstr == NULL) {
+ profkey = KRB5_CONF_PERMITTED_ENCTYPES;
+ ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
+ profkey, NULL, "DEFAULT", &profstr);
+ if (ret)
+ return ret;
+ }
+
+ ret = krb5int_parse_enctype_list(context, profkey, profstr,
+ default_enctype_list, ktypes);
+ profile_release_string(profstr);
+ return ret;
}
krb5_error_code KRB5_CALLCONV
krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes)
{
- return get_profile_etype_list(context, ktypes,
- KRB5_CONF_PERMITTED_ENCTYPES,
- context->tgs_etypes, default_enctype_list);
+ krb5_error_code ret;
+ char *profstr = NULL;
+ const char *profkey;
+
+ *ktypes = NULL;
+
+ if (context->tgs_etypes != NULL)
+ return k5_copy_etypes(context->tgs_etypes, ktypes);
+
+ profkey = KRB5_CONF_PERMITTED_ENCTYPES;
+ ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
+ profkey, NULL, "DEFAULT", &profstr);
+ if (ret)
+ return ret;
+
+ ret = krb5int_parse_enctype_list(context, profkey, profstr,
+ default_enctype_list, ktypes);
+ profile_release_string(profstr);
+ return ret;
}
krb5_boolean
.\" Man page generated from reStructuredText.
.
-.TH "KRB5.CONF" "5" " " "1.18" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.19" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
preference from highest to lowest. The list may be delimited with
commas or whitespace. See Encryption_types in
kdc.conf(5) for a list of the accepted values for this tag.
-The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&.
+Starting in release 1.18, the default value is the value of
+\fBpermitted_enctypes\fP\&. For previous releases or if
+\fBpermitted_enctypes\fP is not set, the default value is
+\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&.
.sp
Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
Identifies the supported list of session key encryption types that
the client should request when making an AS\-REQ, in order of
preference from highest to lowest. The format is the same as for
-default_tgs_enctypes. The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&.
+default_tgs_enctypes. Starting in release 1.18, the default
+value is the value of \fBpermitted_enctypes\fP\&. For previous
+releases or if \fBpermitted_enctypes\fP is not set, the default
+value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&.
.sp
Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
used across NATs. The default value is true.
.TP
\fBpermitted_enctypes\fP
-Identifies all encryption types that are permitted for use in
-session key encryption. The default value for this tag is
-\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&.
+Identifies the encryption types that servers will permit for
+session keys and for ticket and authenticator encryption, ordered
+by preference from highest to lowest. Starting in release 1.18,
+this tag also acts as the default value for
+\fBdefault_tgs_enctypes\fP and \fBdefault_tkt_enctypes\fP\&. The
+default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac\fP\&.
.TP
\fBplugin_base_dir\fP
If set, determines the base directory where krb5 plugins are
{permitted_enctypes(replica)=aes256-sha2}
{permitted_enctypes(client)=aes256-sha2}
{permitted_enctypes(server)=aes256-sha2}
- {default_tgs_enctypes(kdc)=aes256-sha2}
- {default_tgs_enctypes(replica)=aes256-sha2}
- {default_tgs_enctypes(client)=aes256-sha2}
- {default_tgs_enctypes(server)=aes256-sha2}
- {default_tkt_enctypes(kdc)=aes256-sha2}
- {default_tkt_enctypes(replica)=aes256-sha2}
- {default_tkt_enctypes(client)=aes256-sha2}
- {default_tkt_enctypes(server)=aes256-sha2}
{allow_weak_crypto(kdc)=false}
{allow_weak_crypto(replica)=false}
{allow_weak_crypto(client)=false}
{permitted_enctypes(replica)=camellia256-cts}
{permitted_enctypes(client)=camellia256-cts}
{permitted_enctypes(server)=camellia256-cts}
- {default_tgs_enctypes(kdc)=camellia256-cts}
- {default_tgs_enctypes(replica)=camellia256-cts}
- {default_tgs_enctypes(client)=camellia256-cts}
- {default_tgs_enctypes(server)=camellia256-cts}
- {default_tkt_enctypes(kdc)=camellia256-cts}
- {default_tkt_enctypes(replica)=camellia256-cts}
- {default_tkt_enctypes(client)=camellia256-cts}
- {default_tkt_enctypes(server)=camellia256-cts}
{allow_weak_crypto(kdc)=false}
{allow_weak_crypto(replica)=false}
{allow_weak_crypto(client)=false}
# These tests make assumptions about the default enctype lists, so set
# them explicitly rather than relying on the library defaults.
-enctypes='aes des3 rc4'
supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal'
-conf = {'libdefaults': {
- 'default_tgs_enctypes': enctypes,
- 'default_tkt_enctypes': enctypes,
- 'permitted_enctypes': enctypes},
+conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'},
'realms': {'$realm': {'supported_enctypes': supp}}}
realm = K5Realm(krb5_conf=conf)
shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save'))
'allow_weak_crypto': 'true',
'default_tkt_enctypes': 'aes128-cts',
'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}}
+conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}}
# Test with client request and session_enctypes preferring aes128, but
# aes256 long-term key.
realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False)
test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96')
realm.stop()
+# 4: Check that permitted_enctypes is a default for session key enctypes.
+realm = K5Realm(krb5_conf=conf4, create_host=False, get_creds=False)
+realm.kinit(realm.user_princ, password('user'))
+realm.run([kvno, 'user'],
+ expected_trace=('etypes requested in TGS request: aes256-cts',))
+realm.stop()
+
success('sesskeynego')
# Exercise the DES3 enctype.
('des3', None,
- {'libdefaults': {
- 'default_tgs_enctypes': 'des3',
- 'default_tkt_enctypes': 'des3',
- 'permitted_enctypes': 'des3'}},
+ {'libdefaults': {'permitted_enctypes': 'des3'}},
{'realms': {'$realm': {
'supported_enctypes': 'des3-cbc-sha1:normal',
'master_key_type': 'des3-cbc-sha1'}}}),
# Exercise the arcfour enctype.
('arcfour', None,
- {'libdefaults': {
- 'default_tgs_enctypes': 'rc4',
- 'default_tkt_enctypes': 'rc4',
- 'permitted_enctypes': 'rc4'}},
+ {'libdefaults': {'permitted_enctypes': 'rc4'}},
{'realms': {'$realm': {
'supported_enctypes': 'arcfour-hmac:normal',
'master_key_type': 'arcfour-hmac'}}}),
# Exercise the AES128 enctype.
('aes128', None,
- {'libdefaults': {
- 'default_tgs_enctypes': 'aes128-cts',
- 'default_tkt_enctypes': 'aes128-cts',
- 'permitted_enctypes': 'aes128-cts'}},
+ {'libdefaults': {'permitted_enctypes': 'aes128-cts'}},
{'realms': {'$realm': {
'supported_enctypes': 'aes128-cts:normal',
'master_key_type': 'aes128-cts'}}}),
# Exercise the camellia256-cts enctype.
('camellia256', None,
- {'libdefaults': {
- 'default_tgs_enctypes': 'camellia256-cts',
- 'default_tkt_enctypes': 'camellia256-cts',
- 'permitted_enctypes': 'camellia256-cts'}},
+ {'libdefaults': {'permitted_enctypes': 'camellia256-cts'}},
{'realms': {'$realm': {
'supported_enctypes': 'camellia256-cts:normal',
'master_key_type': 'camellia256-cts'}}}),
# Exercise the aes128-sha2 enctype.
('aes128-sha2', None,
- {'libdefaults': {
- 'default_tgs_enctypes': 'aes128-sha2',
- 'default_tkt_enctypes': 'aes128-sha2',
- 'permitted_enctypes': 'aes128-sha2'}},
+ {'libdefaults': {'permitted_enctypes': 'aes128-sha2'}},
{'realms': {'$realm': {
'supported_enctypes': 'aes128-sha2:normal',
'master_key_type': 'aes128-sha2'}}}),
# Exercise the aes256-sha2 enctype.
('aes256-sha2', None,
- {'libdefaults': {
- 'default_tgs_enctypes': 'aes256-sha2',
- 'default_tkt_enctypes': 'aes256-sha2',
- 'permitted_enctypes': 'aes256-sha2'}},
+ {'libdefaults': {'permitted_enctypes': 'aes256-sha2'}},
{'realms': {'$realm': {
'supported_enctypes': 'aes256-sha2:normal',
'master_key_type': 'aes256-sha2'}}}),
projects / thirdparty / krb5.git / commitdiff
