diff options
| author | Sam Hartman <hartmans@mit.edu> | 2003-05-30 20:01:31 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2003-05-30 20:01:31 +0000 |
| commit | fab16f7cb18461136ab3c63a5301a477f5ceec5e (patch) | |
| tree | bad98c91d97a35a578867dada322979e0cbb44a4 | |
| parent | ef09b0469471c27f7260d6ff0c0aafcb100987ad (diff) | |
| download | krb5-fab16f7cb18461136ab3c63a5301a477f5ceec5e.zip krb5-fab16f7cb18461136ab3c63a5301a477f5ceec5e.tar.gz krb5-fab16f7cb18461136ab3c63a5301a477f5ceec5e.tar.bz2 | |
Document that we support AES and the constraints on that support
Ticket: 1535
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15526 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | doc/ChangeLog | 6 | ||||
| -rw-r--r-- | doc/admin.texinfo | 19 | ||||
| -rw-r--r-- | doc/support-enc.texinfo | 6 |
3 files changed, 31 insertions, 0 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog index fa79ec6..ae17f33 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,9 @@ +2003-05-30 Sam Hartman <hartmans@mit.edu> + + * admin.texinfo (Supported Encryption Types): Document AES interop issues. + + * support-enc.texinfo: Add AES enctypes + 2003-05-27 Tom Yu <tlyu@mit.edu> * admin.texinfo (realms (kdc.conf)): Update to reflect that diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 314ad13..7f5aba4 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -350,6 +350,25 @@ types can be set to some combination of the following strings. @include support-enc.texinfo +While aes128-cts and aes256-cts are supported for all Kerberos +operations, they are not supported by the GSSAPI. AES GSSAPI support +will be added after the necessary standardization work is +completed. + +By default, AES is enabled on clients and application servers. +Because of the lack of support for GSSAPI, AES is disabled in the +default KDC supported_enctypes @ref{kdc.conf}. Sites wishing to use +AES encryption types on their KDCs need to be careful not to give +GSSAPI services AES keys. If GSSAPI services are given AES keys, then +services will start to fail in the future when clients supporting AES +for GSSAPI are deployed before updated servers that support AES for +GSSAPI. Sites may wish to use AES for user keys and for the ticket +granting ticket key, although doing so requires specifying what +encryption types are used as each principal is created. Alternatively +sites can use the default configuration which will make AES support +available in clients and servers but not actually use this support +until a future version of Kerberos adds support to GSSAPI. + @node Salts, krb5.conf, Supported Encryption Types, Configuration Files @section Salts diff --git a/doc/support-enc.texinfo b/doc/support-enc.texinfo index 3f030ba..ca4e8fa 100644 --- a/doc/support-enc.texinfo +++ b/doc/support-enc.texinfo @@ -16,6 +16,12 @@ DES cbc mode with RSA-MD5 triple DES cbc mode with HMAC/sha1 @item des-hmac-sha1 DES with HMAC/sha1 +@item aes256-cts-hmac-sha1-96 +@itemx aes256-cts +AES-256 CTS mode with 96-bit SHA-1 HMAC +@item aes128-cts-hmac-sha1-96 +@itemx aes128-cts +AES-128 CTS mode with 96-bit SHA-1 HMAC @item arcfour-hmac @itemx rc4-hmac @itemx arcfour-hmac-md5 |