From 0e9bf73d2b8da55aedd25061faefe6a22d9613d3 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 4 Jun 2012 17:17:31 -0500 Subject: Add control over session key enctype negotiation Adds a principal string attribute named "session_enctypes" which can specify what enctypes the principal supports for session keys. (For what it's worth, this actually allows one to list des-cbc-md5 as a supported session key enctype, though obviously this hardly matters now.) Add a [realms] section parameter for specifying whether to assume that principals (which lack the session_enctypes attribute) support des-cbc-crc for session keys. This allows those who still need to use allow_weak_crypto=true, for whatever reason, to start reducing the number of tickets issued with des-cbc-crc session keys to clients which still give des-cbc-crc preference in their default_tgs_enctypes list. [ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored test script; documented session_enctypes attribute] --- doc/rst_source/krb_admins/admin_commands/kadmin_local.rst | 13 ++++++++++--- doc/rst_source/krb_admins/conf_files/kdc_conf.rst | 7 +++++++ 2 files changed, 17 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/rst_source/krb_admins/admin_commands/kadmin_local.rst b/doc/rst_source/krb_admins/admin_commands/kadmin_local.rst index ec90cff39..c8a08eba0 100644 --- a/doc/rst_source/krb_admins/admin_commands/kadmin_local.rst +++ b/doc/rst_source/krb_admins/admin_commands/kadmin_local.rst @@ -584,8 +584,7 @@ get_strings **get_strings** *principal* -Displays string attributes on *principal*. String attributes are used -to supply per-principal configuration to some KDC plugin modules. +Displays string attributes on *principal*. This command requires the **inquire** privilege. @@ -600,7 +599,15 @@ set_string **set_string** *principal* *key* *value* -Sets a string attribute on *principal*. +Sets a string attribute on *principal*. String attributes are used to +supply per-principal configuration to the KDC and some KDC plugin +modules. The following string attributes are recognized by the KDC: + +**session_enctypes** + Specifies the encryption types supported for session keys when the + principal is authenticated to as a server. See + :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list + of the accepted values. This command requires the **modify** privilege. diff --git a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst index a84c702f0..66f51dc75 100644 --- a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst @@ -269,6 +269,13 @@ subsection: listed in **host_based_services**. ``no_host_referral = *`` will disable referral processing altogether. +**des_crc_session_supported** + (Boolean value). If set to true, the KDC will assume that service + principals support des-cbc-crc for session key enctype negotiation + purposes. If **allow_weak_crypto** in :ref:`libdefaults` is + false, or if des-cbc-crc is not a permitted enctype, then this + variable has no effect. Defaults to true. + **reject_bad_transit** (Boolean value.) If set to true, the KDC will check the list of transited realms for cross-realm tickets against the transit path -- cgit