diff options
author | Robbie Harwood <rharwood@redhat.com> | 2019-05-13 14:19:57 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2019-05-13 21:44:06 -0400 |
commit | a5a140dc85201faf1ba3a687553058354722a1b4 (patch) | |
tree | a5b1b1f698ef08d2211efe0cc1331595176630eb /doc/admin | |
parent | 0269810b1aec6c554fb746433f045d59fd34ab3a (diff) | |
download | krb5-a5a140dc85201faf1ba3a687553058354722a1b4.zip krb5-a5a140dc85201faf1ba3a687553058354722a1b4.tar.gz krb5-a5a140dc85201faf1ba3a687553058354722a1b4.tar.bz2 |
Remove checksum type profile variables
Remove support for the krb5.conf relations ap_req_checksum_type,
kdc_req_checksum_type, and safe_checksum_type. These values were
useful for interoperating with very old KDCs, which should no longer
be deployed.
Additionally, kdc_req_checksum_type was incorrectly documented as only
applying to single-DES keys; in practice it also worked for RC4. The
other two were not clearly documented, but safe_checksum_type did
allow use of hmac-md5-rc4 for any enctype, and ap_req_checksum_type
did not impose any limitations.
[ghudson@mit.edu: edited commit message]
ticket: 8804 (new)
Diffstat (limited to 'doc/admin')
-rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index e9f7e8c..5df3bfe 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -111,14 +111,6 @@ The libdefaults section may contain any of the following relations: strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers. -**ap_req_checksum_type** - An integer which specifies the type of AP-REQ checksum to use in - authenticators. This variable should be unset so the appropriate - checksum for the encryption key in use will be used. This can be - set if backward compatibility requires a specific checksum type. - See the **kdc_req_checksum_type** configuration option for the - possible values and their meanings. - **canonicalize** If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and @@ -297,26 +289,6 @@ The libdefaults section may contain any of the following relations: corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. -**kdc_req_checksum_type** - An integer which specifies the type of checksum to use for the KDC - requests, for compatibility with very old KDC implementations. - This value is only used for DES keys; other keys use the preferred - checksum type for those keys. - - The possible values and their meanings are as follows. - - ======== =============================== - 1 CRC32 - 2 RSA MD4 - 3 RSA MD4 DES - 4 DES CBC - 7 RSA MD5 - 8 RSA MD5 DES - 9 NIST SHA - 12 HMAC SHA1 DES3 - -138 Microsoft MD5 HMAC checksum type - ======== =============================== - **noaddresses** If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be @@ -365,15 +337,6 @@ The libdefaults section may contain any of the following relations: (:ref:`duration` string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. -**safe_checksum_type** - An integer which specifies the type of checksum to use for the - KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For - compatibility with applications linked against DCE version 1.1 or - earlier Kerberos libraries, use a value of 3 to use the RSA MD4 - DES instead. This field is ignored when its value is incompatible - with the session key type. See the **kdc_req_checksum_type** - configuration option for the possible values and their meanings. - **spake_preauth_groups** A whitespace or comma-separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values |