diff options
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c | 50 | ||||
-rw-r--r-- | install/share/default-keytypes.ldif | 14 |
2 files changed, 30 insertions, 34 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 462622a51..527e178fe 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -350,35 +350,29 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, case KRB5_KDB_SALTTYPE_NORMAL: - /* If pre auth is required we can set a random salt, otherwise - * we have to use a more conservative approach and set the salt - * to be REALMprincipal (the concatenation of REALM and principal - * name without any separator) */ -#if 0 - if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) { - salt.length = KRB5P_SALT_SIZE; - salt.data = malloc(KRB5P_SALT_SIZE); - if (!salt.data) { - LOG_OOM(); - goto enc_error; - } - krberr = krb5_c_random_make_octets(krbctx, &salt); - if (krberr) { - LOG_FATAL("krb5_c_random_make_octets failed [%s]\n", - krb5_get_error_message(krbctx, krberr)); - goto enc_error; - } - } else { -#endif - krberr = krb5_principal2salt(krbctx, princ, &salt); - if (krberr) { - LOG_FATAL("krb5_principal2salt failed [%s]\n", - krb5_get_error_message(krbctx, krberr)); - goto enc_error; - } -#if 0 + krberr = krb5_principal2salt(krbctx, princ, &salt); + if (krberr) { + LOG_FATAL("krb5_principal2salt failed [%s]\n", + krb5_get_error_message(krbctx, krberr)); + goto enc_error; + } + break; + + case KRB5_KDB_SALTTYPE_SPECIAL: + + /* make random salt */ + salt.length = KRB5P_SALT_SIZE; + salt.data = malloc(KRB5P_SALT_SIZE); + if (!salt.data) { + LOG_OOM(); + goto enc_error; + } + krberr = krb5_c_random_make_octets(krbctx, &salt); + if (krberr) { + LOG_FATAL("krb5_c_random_make_octets failed [%s]\n", + krb5_get_error_message(krbctx, krberr)); + goto enc_error; } -#endif break; case KRB5_KDB_SALTTYPE_V4: diff --git a/install/share/default-keytypes.ldif b/install/share/default-keytypes.ldif index 8561b98dc..8093b6989 100644 --- a/install/share/default-keytypes.ldif +++ b/install/share/default-keytypes.ldif @@ -3,9 +3,13 @@ dn: cn=$REALM,cn=kerberos,$SUFFIX changetype: modify add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: aes256-cts:normal +krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes128-cts:normal +krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: des3-hmac-sha1:normal +krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal +krbSupportedEncSaltTypes: arcfour-hmac:special krbSupportedEncSaltTypes: des-hmac-sha1:normal krbSupportedEncSaltTypes: des-cbc-md5:normal krbSupportedEncSaltTypes: des-cbc-crc:normal @@ -22,10 +26,8 @@ krbMaxRenewableAge: 604800 dn: cn=$REALM,cn=kerberos,$SUFFIX changetype: modify add: krbDefaultEncSaltTypes -krbDefaultEncSaltTypes: aes256-cts:normal -krbDefaultEncSaltTypes: aes128-cts:normal -krbDefaultEncSaltTypes: des3-hmac-sha1:normal -krbDefaultEncSaltTypes: arcfour-hmac:normal -krbDefaultEncSaltTypes: des-hmac-sha1:normal -krbDefaultEncSaltTypes: des-cbc-md5:normal +krbDefaultEncSaltTypes: aes256-cts:special +krbDefaultEncSaltTypes: aes128-cts:special +krbDefaultEncSaltTypes: des3-hmac-sha1:special +krbDefaultEncSaltTypes: arcfour-hmac:special |