[kadmin] default_keys: not set vs. "v5"

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[kadmin] default_keys: not set vs. "v5"

Patrik Lundin
Hello,

If I run kadmin without setting default_keys, the following encryption
type list is created:
===
Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[34],
des3-cbc-sha1(pw-salt)[34], arcfour-hmac-md5(pw-salt)[34]
===

If i set default_keys to "v5" and change the password the order looks like this:
===
Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[35],
arcfour-hmac-md5(pw-salt)[35], des3-cbc-sha1(pw-salt)[35]
===

I believe this is because while lib/hdb/keys.c sets this list:
static const krb5_enctype all_etypes[] = {
  ETYPE_AES256_CTS_HMAC_SHA1_96,
  ETYPE_ARCFOUR_HMAC_MD5,
  ETYPE_DES3_CBC_SHA1
};

... hdb_generate_key_set() looks like this:

char *default_keytypes[] = {
  "aes256-cts-hmac-sha1-96:pw-salt",
  "des3-cbc-sha1:pw-salt",
  "arcfour-hmac-md5:pw-salt",
  NULL
};

Do you have an idea regarding what order is the preferred one?

Regards,
Patrik Lundin
Reply | Threaded
Open this post in threaded view
|

Re: [kadmin] default_keys: not set vs. "v5"

Love Hörnquist Åstrand
We want the order of hdb_generate_key_set(). arcfour should be deprecated.

Love

> 9 sep 2014 kl. 10:33 skrev Patrik Lundin <[hidden email]>:
>
> Hello,
>
> If I run kadmin without setting default_keys, the following encryption
> type list is created:
> ===
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[34],
> des3-cbc-sha1(pw-salt)[34], arcfour-hmac-md5(pw-salt)[34]
> ===
>
> If i set default_keys to "v5" and change the password the order looks like this:
> ===
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[35],
> arcfour-hmac-md5(pw-salt)[35], des3-cbc-sha1(pw-salt)[35]
> ===
>
> I believe this is because while lib/hdb/keys.c sets this list:
> static const krb5_enctype all_etypes[] = {
>  ETYPE_AES256_CTS_HMAC_SHA1_96,
>  ETYPE_ARCFOUR_HMAC_MD5,
>  ETYPE_DES3_CBC_SHA1
> };
>
> ... hdb_generate_key_set() looks like this:
>
> char *default_keytypes[] = {
>  "aes256-cts-hmac-sha1-96:pw-salt",
>  "des3-cbc-sha1:pw-salt",
>  "arcfour-hmac-md5:pw-salt",
>  NULL
> };
>
> Do you have an idea regarding what order is the preferred one?
>
> Regards,
> Patrik Lundin

Reply | Threaded
Open this post in threaded view
|

Re: [kadmin] default_keys: not set vs. "v5"

Patrik Lundin
On Tue, Sep 09, 2014 at 03:28:40PM +0200, Love Hörnquist Åstrand wrote:
>
> We want the order of hdb_generate_key_set(). arcfour should be deprecated.
>

Thanks for the information. For anyone following the thread this was
fixed by Love a few moments ago:
https://github.com/heimdal/heimdal/commit/24c8bac3b8a3cbea94489c31353fb7ea82fd6ba1
 
Regards,
Patrik Lundin