diff options
author | Robbie Harwood <rharwood@redhat.com> | 2020-01-14 14:23:00 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2020-01-23 14:21:42 -0500 |
commit | 8f13fb2342b2a715cfb694688e3435e7f11691f8 (patch) | |
tree | d11853241c47aea171ee557a92260cae9368910a /doc/admin | |
parent | fba01092b7beb097780f2482997c9e6cee0e7ed2 (diff) | |
download | krb5-8f13fb2342b2a715cfb694688e3435e7f11691f8.zip krb5-8f13fb2342b2a715cfb694688e3435e7f11691f8.tar.gz krb5-8f13fb2342b2a715cfb694688e3435e7f11691f8.tar.bz2 |
Apply permitted_enctypes to KDC request enctypes
permitted_enctypes was initially intended only to restrict the
processing of AP requests (and was later applied to KDB key data
searches so that the KDC wouldn't issue a ticket it would refuse to
accept). Because the documentation was never clear about its scope,
many configurations assume that permitted_enctypes also applies to
clients.
In light of the existing configurations, take the simple way out and
use permitted_enctypes as the default for default_tkt_enctypes and
default_tgs_enctypes. Update the documentation, add a test to
explicitly check the new behavior, and remove now-unnecessary
configuration from the test suite.
[ghudson@mit.edu: unrolled helper function; edited documentation and
commit message; simplified test case]
ticket: 8869 (new)
tags: pullup
target_version: 1.18
Diffstat (limited to 'doc/admin')
-rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 20 | ||||
-rw-r--r-- | doc/admin/enctypes.rst | 8 |
2 files changed, 20 insertions, 8 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index d7687ef..f682255 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -159,7 +159,10 @@ The libdefaults section may contain any of the following relations: preference from highest to lowest. The list may be delimited with commas or whitespace. See :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the accepted values for this tag. - The default value is |defetypes|. + Starting in release 1.18, the default value is the value of + **permitted_enctypes**. For previous releases or if + **permitted_enctypes** is not set, the default value is + |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent @@ -170,8 +173,10 @@ The libdefaults section may contain any of the following relations: Identifies the supported list of session key encryption types that the client should request when making an AS-REQ, in order of preference from highest to lowest. The format is the same as for - default_tgs_enctypes. The default value for this tag is - |defetypes|. + default_tgs_enctypes. Starting in release 1.18, the default + value is the value of **permitted_enctypes**. For previous + releases or if **permitted_enctypes** is not set, the default + value is |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent @@ -294,9 +299,12 @@ The libdefaults section may contain any of the following relations: used across NATs. The default value is true. **permitted_enctypes** - Identifies all encryption types that are permitted for use in - session key encryption. The default value for this tag is - |defetypes|. + Identifies the encryption types that servers will permit for + session keys and for ticket and authenticator encryption, ordered + by preference from highest to lowest. Starting in release 1.18, + this tag also acts as the default value for + **default_tgs_enctypes** and **default_tkt_enctypes**. The + default value for this tag is |defetypes|. **plugin_base_dir** If set, determines the base directory where krb5 plugins are diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst index 84183a5..caf6d92 100644 --- a/doc/admin/enctypes.rst +++ b/doc/admin/enctypes.rst @@ -88,8 +88,12 @@ affect how enctypes are chosen. required for backward compatibility. **permitted_enctypes** - controls the set of enctypes that a service will accept as session - keys. + controls the set of enctypes that a service will permit for + session keys and for ticket and authenticator encryption. The KDC + and other programs that access the Kerberos database will ignore + keys of non-permitted enctypes. Starting in release 1.18, this + setting also acts as the default for **default_tkt_enctypes** and + **defaut_tgs_enctypes**. **default_tkt_enctypes** controls the default set of enctypes that the Kerberos client |