Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace: » kerberos

MIT Implementation

Enctypes

kdc logs use decimal value to refer encrypt types

Extract from kr5b.conf 

/* per Kerberos v5 protocol spec */
#define ENCTYPE_NULL            0x0000
#define ENCTYPE_DES_CBC_CRC     0x0001  /* DES cbc mode with CRC-32 */
#define ENCTYPE_DES_CBC_MD4     0x0002  /* DES cbc mode with RSA-MD4 */
#define ENCTYPE_DES_CBC_MD5     0x0003  /* DES cbc mode with RSA-MD5 */
#define ENCTYPE_DES_CBC_RAW     0x0004  /* DES cbc mode raw */
/* XXX deprecated? */
#define ENCTYPE_DES3_CBC_SHA    0x0005  /* DES-3 cbc mode with NIST-SHA */
#define ENCTYPE_DES3_CBC_RAW    0x0006  /* DES-3 cbc mode raw */
#define ENCTYPE_DES_HMAC_SHA1   0x0008
#define ENCTYPE_DES3_CBC_SHA1   0x0010
#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011
#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012
#define ENCTYPE_ARCFOUR_HMAC    0x0017
#define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
#define ENCTYPE_UNKNOWN         0x01ff
/* local crud */
/* marc's DES-3 with 32-bit length */
#define ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007

Debian Installation

Requirements

Packages 

# apt-get install krb5-admin-server krb5-kdc

Create the realm database and the stash file 

# kdb5_util create -r <realm> -s

Initial ACL /etc/krb5kdc/kadm5.acl 

*/admin@DEBIAN-FR.ORG   *

This is the minimal ACL file you MUST have in order to login locally (with kadmin.local) and add another principals.

Create the kadmin principal 

# kadmin.local
Authenticating as principal root/admin@DEBIAN-FR.ORG with password.
kadmin.local:  addprinc asyd/admin@DEBIAN-FR.ORG
WARNING: no policy specified for asyd/admin@DEBIAN-FR.ORG; defaulting to no policy
Enter password for principal "asyd/admin@DEBIAN-FR.ORG": 
Re-enter password for principal "asyd/admin@DEBIAN-FR.ORG": 
Principal "asyd/admin@DEBIAN-FR.ORG" created.

Create the minial keytab 

# kadmin.local
kadmin.local:  ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.

Check for stash file: If you don't have /etc/krb5kdc/stash, just simple run 

# kdb5_util stash -f /etc/krb5kdc/stash

Optional: enable logging, add the following lines to /etc/krb5.conf 

[logging]
        kdc = FILE:/var/log/krb/kdc.log
        admin_server = FILE:/var/log/krb/admin.log