diff options
author | Greg Hudson <ghudson@mit.edu> | 2015-12-10 13:17:31 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2016-10-03 15:39:24 -0400 |
commit | 6fd74a89ac6c2444a347a357fac51b3490467284 (patch) | |
tree | 3cc2c1840a1d3db92fe28be8a79d4c6230701831 | |
parent | d1ec317288278d10ae34fde9b2414e4fca5c52dd (diff) | |
download | krb5-6fd74a89ac6c2444a347a357fac51b3490467284.zip krb5-6fd74a89ac6c2444a347a357fac51b3490467284.tar.gz krb5-6fd74a89ac6c2444a347a357fac51b3490467284.tar.bz2 |
Document aes-sha2 enctypes
Add minimal documentation for the new aes-sha2 enctypes.
ticket: 8490
-rw-r--r-- | doc/admin/conf_files/kdc_conf.rst | 15 | ||||
-rw-r--r-- | doc/admin/enctypes.rst | 30 | ||||
-rw-r--r-- | doc/appdev/refs/macros/index.rst | 4 |
3 files changed, 31 insertions, 18 deletions
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index 429c528..13077ec 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -814,8 +814,10 @@ des-cbc-raw DES cbc mode raw (weak) des3-cbc-raw Triple DES cbc mode raw (weak) des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 des-hmac-sha1 DES with HMAC/sha1 (weak) -aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC -aes128-cts-hmac-sha1-96 aes128-cts AES-128 CTS mode with 96-bit SHA-1 HMAC +aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC +aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC +aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC +aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC @@ -840,8 +842,13 @@ front. While **aes128-cts** and **aes256-cts** are supported for all Kerberos operations, they are not supported by very old versions of our GSSAPI implementation (krb5-1.3.1 and earlier). Services running versions of -krb5 without AES support must not be given AES keys in the KDC -database. +krb5 without AES support must not be given keys of these encryption +types in the KDC database. + +The **aes128-sha2** and **aes256-sha2** encryption types are new in +release 1.15. Services running versions of krb5 without support for +these newer encryption types must not be given keys of these +encryption types in the KDC database. .. _Keysalt_lists: diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst index 44b6a8c..3cdfc92 100644 --- a/doc/admin/enctypes.rst +++ b/doc/admin/enctypes.rst @@ -124,20 +124,22 @@ Enctype compatibility See :ref:`Encryption_types` for additional information about enctypes. -======================= ===== ======== ======= -enctype weak? krb5 Windows -======================= ===== ======== ======= -des-cbc-crc weak all >=2000 -des-cbc-md4 weak all ? -des-cbc-md5 weak all >=2000 -des3-cbc-sha1 >=1.1 none -arcfour-hmac >=1.3 >=2000 -arcfour-hmac-exp weak >=1.3 >=2000 -aes128-cts-hmac-sha1-96 >=1.3 >=Vista -aes256-cts-hmac-sha1-96 >=1.3 >=Vista -camellia128-cts-cmac >=1.9 none -camellia256-cts-cmac >=1.9 none -======================= ===== ======== ======= +========================== ===== ======== ======= +enctype weak? krb5 Windows +========================== ===== ======== ======= +des-cbc-crc weak all >=2000 +des-cbc-md4 weak all ? +des-cbc-md5 weak all >=2000 +des3-cbc-sha1 >=1.1 none +arcfour-hmac >=1.3 >=2000 +arcfour-hmac-exp weak >=1.3 >=2000 +aes128-cts-hmac-sha1-96 >=1.3 >=Vista +aes256-cts-hmac-sha1-96 >=1.3 >=Vista +aes128-cts-hmac-sha256-128 >=1.15 none +aes256-cts-hmac-sha384-192 >=1.15 none +camellia128-cts-cmac >=1.9 none +camellia256-cts-cmac >=1.9 none +========================== ===== ======== ======= krb5 releases 1.8 and later disable the single-DES enctypes by default. Microsoft Windows releases Windows 7 and later disable diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst index 2271e90..e767471 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -34,6 +34,8 @@ Public CKSUMTYPE_HMAC_MD5_ARCFOUR.rst CKSUMTYPE_HMAC_SHA1_96_AES128.rst CKSUMTYPE_HMAC_SHA1_96_AES256.rst + CKSUMTYPE_HMAC_SHA256_128_AES128.rst + CKSUMTYPE_HMAC_SHA384_192_AES256.rst CKSUMTYPE_HMAC_SHA1_DES3.rst CKSUMTYPE_MD5_HMAC_ARCFOUR.rst CKSUMTYPE_NIST_SHA.rst @@ -42,7 +44,9 @@ Public CKSUMTYPE_RSA_MD5.rst CKSUMTYPE_RSA_MD5_DES.rst ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst + ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst + ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst ENCTYPE_ARCFOUR_HMAC.rst ENCTYPE_ARCFOUR_HMAC_EXP.rst ENCTYPE_CAMELLIA128_CTS_CMAC.rst |