doc/krb5-protocol/krb5.constants


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

8.3.  Protocol constants and associated values

   The following tables list constants used in the protocol and defines
   their meanings.


---------------+-----------+----------+----------------+---------------
Encryption type|etype value|block size|minimum pad size|confounder size
---------------+-----------+----------+----------------+---------------
NULL                0            1              0              0
des-cbc-crc         1            8              4              8
des-cbc-md4         2            8              0              8
des-cbc-md5         3            8              0              8
<reserved>          4
des3-cbc-md5        5            8              0              8     
<reserved>          0x8003

-------------------------------+-------------------+-------------
Checksum type                  |sumtype value      |checksum size
-------------------------------+-------------------+-------------
CRC32                           1                   4
rsa-md4                         2                   16
rsa-md4-des                     3                   24
des-mac                         4                   16
des-mac-k                       5                   8
rsa-md4-des-k                   6                   16
rsa-md5                         7                   16
rsa-md5-des                     8                   24
rsa-md5-des3                    9                   24

-------------------------------+-----------------
padata type                    |padata-type value
-------------------------------+-----------------
PA-TGS-REQ                      1
PA-ENC-TIMESTAMP                2
PA-PW-SALT                      3
<reserved>                      4
PA-ENC-UNIX-TIME                5
PA-SANDIA-SECUREID              6
PA-SESAME                       7
PA-OSF-DCE                      8
PA-CYBERSAFE-SECUREID           9
PA-AFS3-SALT			10
PA-ETYPE-INFO                   11

-------------------------------+-------------
authorization data type        |ad-type value
-------------------------------+-------------
reserved values                 0-63
AD-OSF-DCE                      64
AD-SESAME                       65

-------------------------------+-----------------
alternate authentication type  |method-type value
-------------------------------+-----------------
reserved values                 0-63
ATT-CHALLENGE-RESPONSE          64

-------------------------------+-------------
transited encoding type        |tr-type value
-------------------------------+-------------
DOMAIN-X500-COMPRESS            1
reserved values                 all others


--------------+-------+-----------------------------------------
Label         |Value  |Meaning or MIT code
--------------+-------+-----------------------------------------

pvno             5     current Kerberos protocol version number

message types

KRB_AS_REQ      10     Request for initial authentication
KRB_AS_REP      11     Response to KRB_AS_REQ request
KRB_TGS_REQ     12     Request for authentication based on TGT
KRB_TGS_REP     13     Response to KRB_TGS_REQ request
KRB_AP_REQ      14     application request to server
KRB_AP_REP      15     Response to KRB_AP_REQ_MUTUAL
KRB_SAFE        20     Safe (checksummed) application message
KRB_PRIV        21     Private (encrypted) application message
KRB_CRED        22     Private (encrypted) message to forward credentials
KRB_ERROR       30     Error response

name types

KRB_NT_UNKNOWN   0   Name type not known
KRB_NT_PRINCIPAL 1   Just the name of the principal as in DCE, or for users
KRB_NT_SRV_INST  2   Service and other unique instance (krbtgt)
KRB_NT_SRV_HST   3   Service with host name as instance (telnet, rcommands)
KRB_NT_SRV_XHST  4   Service with host as remaining components
KRB_NT_UID       5   Unique ID

error codes

KDC_ERR_NONE                   0   No error
KDC_ERR_NAME_EXP               1   Client's entry in database has expired
KDC_ERR_SERVICE_EXP            2   Server's entry in database has expired
KDC_ERR_BAD_PVNO               3   Requested protocol version # not supported
KDC_ERR_C_OLD_MAST_KVNO        4   Client's key encrypted in old master key
KDC_ERR_S_OLD_MAST_KVNO        5   Server's key encrypted in old master key
KDC_ERR_C_PRINCIPAL_UNKNOWN    6   Client not found in Kerberos database
KDC_ERR_S_PRINCIPAL_UNKNOWN    7   Server not found in Kerberos database
KDC_ERR_PRINCIPAL_NOT_UNIQUE   8   Multiple principal entries in database
KDC_ERR_NULL_KEY               9   The client or server has a null key
KDC_ERR_CANNOT_POSTDATE       10   Ticket not eligible for postdating
KDC_ERR_NEVER_VALID           11   Requested start time is later than end time
KDC_ERR_POLICY                12   KDC policy rejects request
KDC_ERR_BADOPTION             13   KDC cannot accommodate requested option
KDC_ERR_ETYPE_NOSUPP          14   KDC has no support for encryption type
KDC_ERR_SUMTYPE_NOSUPP        15   KDC has no support for checksum type
KDC_ERR_PADATA_TYPE_NOSUPP    16   KDC has no support for padata type
KDC_ERR_TRTYPE_NOSUPP         17   KDC has no support for transited type
KDC_ERR_CLIENT_REVOKED        18   Clients credentials have been revoked
KDC_ERR_SERVICE_REVOKED       19   Credentials for server have been revoked
KDC_ERR_TGT_REVOKED           20   TGT has been revoked
KDC_ERR_CLIENT_NOTYET         21   Client not yet valid - try again later
KDC_ERR_SERVICE_NOTYET        22   Server not yet valid - try again later
KDC_ERR_KEY_EXPIRED           23   Password has expired - change to reset
KDC_ERR_PREAUTH_FAILED        24   Pre-authentication information was invalid
KDC_ERR_PREAUTH_REQUIRED      25   Additional pre-authentication required*
KDC_ERR_SERVER_NOMATCH        26   Requested server and ticket don't match
KRB_AP_ERR_BAD_INTEGRITY      31   Integrity check on decrypted field failed
KRB_AP_ERR_TKT_EXPIRED        32   Ticket expired
KRB_AP_ERR_TKT_NYV            33   Ticket not yet valid
KRB_AP_ERR_REPEAT             34   Request is a replay
KRB_AP_ERR_NOT_US             35   The ticket isn't for us
KRB_AP_ERR_BADMATCH           36   Ticket and authenticator don't match
KRB_AP_ERR_SKEW               37   Clock skew too great
KRB_AP_ERR_BADADDR            38   Incorrect net address
KRB_AP_ERR_BADVERSION         39   Protocol version mismatch
KRB_AP_ERR_MSG_TYPE           40   Invalid msg type
KRB_AP_ERR_MODIFIED           41   Message stream modified
KRB_AP_ERR_BADORDER           42   Message out of order
KRB_AP_ERR_BADKEYVER          44   Specified version of key is not available
KRB_AP_ERR_NOKEY              45   Service key not available
KRB_AP_ERR_MUT_FAIL           46   Mutual authentication failed
KRB_AP_ERR_BADDIRECTION       47   Incorrect message direction
KRB_AP_ERR_METHOD             48   Alternative authentication method required*
KRB_AP_ERR_BADSEQ             49   Incorrect sequence number in message
KRB_AP_ERR_INAPP_CKSUM        50   Inappropriate type of checksum in message
KRB_ERR_GENERIC               60   Generic error (description in e-text)
KRB_ERR_FIELD_TOOLONG         61   Field is too long for this implementation

   *This error carries additional information in the e-data field.  The
   contents of the e-data field for this message is described in section
   5.9.1.