Welcome to Bruno Bonfils's (aka asyd homepage).
|
This is an old revision of the document! MIT ImplementationEnctypeskdc logs use decimal value to refer encrypt types Extract from kr5b.conf /* per Kerberos v5 protocol spec */ #define ENCTYPE_NULL 0x0000 #define ENCTYPE_DES_CBC_CRC 0x0001 /* DES cbc mode with CRC-32 */ #define ENCTYPE_DES_CBC_MD4 0x0002 /* DES cbc mode with RSA-MD4 */ #define ENCTYPE_DES_CBC_MD5 0x0003 /* DES cbc mode with RSA-MD5 */ #define ENCTYPE_DES_CBC_RAW 0x0004 /* DES cbc mode raw */ /* XXX deprecated? */ #define ENCTYPE_DES3_CBC_SHA 0x0005 /* DES-3 cbc mode with NIST-SHA */ #define ENCTYPE_DES3_CBC_RAW 0x0006 /* DES-3 cbc mode raw */ #define ENCTYPE_DES_HMAC_SHA1 0x0008 #define ENCTYPE_DES3_CBC_SHA1 0x0010 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 #define ENCTYPE_ARCFOUR_HMAC 0x0017 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 #define ENCTYPE_UNKNOWN 0x01ff /* local crud */ /* marc's DES-3 with 32-bit length */ #define ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007 #define CKSUMTYPE_CRC32 0x0001 #define CKSUMTYPE_RSA_MD4 0x0002 #define CKSUMTYPE_RSA_MD4_DES 0x0003 #define CKSUMTYPE_DESCBC 0x0004 /* des-mac-k */ /* rsa-md4-des-k */ #define CKSUMTYPE_RSA_MD5 0x0007 #define CKSUMTYPE_RSA_MD5_DES 0x0008 #define CKSUMTYPE_NIST_SHA 0x0009 #define CKSUMTYPE_HMAC_SHA1_DES3 0x000c #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/\ Debian InstallationRequirementsPackages # apt-get install krb5-admin-server krb5-kdc Create the realm database and the stash file # kdb5_util create -r <realm> -s Initial ACL /etc/krb5kdc/kadm5.acl */admin@DEBIAN-FR.ORG * This is the minimal ACL file you MUST have in order to login locally (with kadmin.local) and add another principals. Create the kadmin principal # kadmin.local Authenticating as principal root/admin@DEBIAN-FR.ORG with password. kadmin.local: addprinc asyd/admin@DEBIAN-FR.ORG WARNING: no policy specified for asyd/admin@DEBIAN-FR.ORG; defaulting to no policy Enter password for principal "asyd/admin@DEBIAN-FR.ORG": Re-enter password for principal "asyd/admin@DEBIAN-FR.ORG": Principal "asyd/admin@DEBIAN-FR.ORG" created. Create the minial keytab # kadmin.local kadmin.local: ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab. Optional: enable logging, add the following lines to /etc/krb5.conf
[logging]
kdc = FILE:/var/log/krb/kdc.log
admin_server = FILE:/var/log/krb/admin.log
|
