Next: Credential cache server - KCM, Previous: Incremental propagation, Up: Setting up a realm [Contents]
The encryption types that the KDC is going to assign by default is possible to change. Since the keys used for user authentication is salted the encryption types are described together with the salt strings.
Salting is used to make it harder to pre-calculate all possible keys. Using a salt increases the search space to make it almost impossible to pre-calculate all keys. Salting is the process of mixing a public string (the salt) with the password, then sending it through an encryption type specific string-to-key function that will output the fixed size encryption key.
In Kerberos 5 the salt is determined by the encryption type, except in some special cases.
In des
there is the Kerberos 4 salt
(none at all) or the afs-salt (using the cell (realm in
AFS lingo)).
In arcfour
(the encryption type that Microsoft Windows 2000 uses)
there is no salt. This is to be compatible with NTLM keys in Windows
NT 4.
[kadmin]default_keys
in krb5.conf controls
what salting to use.
The syntax of [kadmin]default_keys
is
‘[etype:]salt-type[:salt-string]’. ‘etype’ is the encryption
type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
salt-type
is the type of salt (pw-salt or afs3-salt), and the
salt-string is the string that will be used as salt (remember that if
the salt is appended/prepended, the empty salt "" is the same thing as
no salt at all).
Common types of salting include
v4
(or des:pw-salt:
)
The Kerberos 4 salting is using no salt at all. Reason there is colon at the end of the salt string is that it makes the salt the empty string (same as no salt).
v5
(or pw-salt
)
pw-salt
uses the default salt for each encryption type is
specified for. If the encryption type ‘etype’ isn’t given, all
default encryption will be used.
afs3-salt
afs3-salt
is the salt that is used with Transarc kaserver. It’s
the cell name appended to the password.
Next: Credential cache server - KCM, Previous: Incremental propagation, Up: Setting up a realm [Contents]