From a3e73d1a874ad68c7ef0cb2ac0fa529b87b29710 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 20 May 2019 16:52:57 -0400 Subject: [PATCH] Update default krb5kdc mkey manual-entry enctype Change from the legacy des-cbc-crc to the default for kdb5_util and kadmind, which is currently aes256-cts-hmac-sha1-96. (cherry picked from commit 512f5cde625253cba1e6f87e037a00ef88178882) --- doc/admin/admin_commands/krb5kdc.rst | 2 +- src/kdc/main.c | 2 +- src/man/krb5kdc.man | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst index 0342d0d18..455bb6858 100644 --- a/doc/admin/admin_commands/krb5kdc.rst +++ b/doc/admin/admin_commands/krb5kdc.rst @@ -39,7 +39,7 @@ LDAP database. The **-k** *keytype* option specifies the key type of the master key to be entered manually as a password when **-m** is given; the default -is ``des-cbc-crc``. +is |defmkey|. The **-M** *mkeyname* option specifies the principal name for the master key in the database (usually ``K/M`` in the KDC's realm). diff --git a/src/kdc/main.c b/src/kdc/main.c index 60092a0df..04393772f 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -777,7 +777,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, case 'm': /* manual type-in of master key */ manual = TRUE; if (menctype == ENCTYPE_UNKNOWN) - menctype = ENCTYPE_DES_CBC_CRC; + menctype = DEFAULT_KDC_ENCTYPE; break; case 'M': /* master key name in DB */ mkey_name = optarg; diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man index 8ace9662f..aa8614698 100644 --- a/src/man/krb5kdc.man +++ b/src/man/krb5kdc.man @@ -59,7 +59,7 @@ LDAP database. .sp The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key to be entered manually as a password when \fB\-m\fP is given; the default -is \fBdes\-cbc\-crc\fP\&. +is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. .sp The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the master key in the database (usually \fBK/M\fP in the KDC\(aqs realm).