From eb4fb8cb24e6cac194acc2c507b334658fc5431d Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 11 Apr 2019 18:25:41 -0400 Subject: [PATCH] Modernize example enctypes in documentation ticket: 8805 (new) (cherry picked from commit ccb4a3e4b35fa9ea63af0e98a42eba4aadb099e2) --- doc/admin/admin_commands/kadmin_local.rst | 8 ++++---- doc/admin/admin_commands/kdb5_util.rst | 10 +++++----- doc/admin/database.rst | 2 +- doc/admin/install_appl_srv.rst | 19 +++++++------------ doc/admin/install_kdc.rst | 2 +- src/man/kadmin.man | 10 +++++----- src/man/kdb5_util.man | 10 +++++----- .../kdb/ldap/libkdb_ldap/kerberos.ldif | 4 ++-- .../kdb/ldap/libkdb_ldap/kerberos.schema | 4 ++-- 9 files changed, 32 insertions(+), 37 deletions(-) diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst index 150da1fad..71aa894f6 100644 --- a/doc/admin/admin_commands/kadmin_local.rst +++ b/doc/admin/admin_commands/kadmin_local.rst @@ -569,16 +569,16 @@ Examples:: Principal: tlyu/admin@BLEEP.COM Expiration date: [never] Last password change: Mon Aug 12 14:16:47 EDT 1996 - Password expiration date: [none] + Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 - Number of keys: 2 - Key: vno 1, des-cbc-crc - Key: vno 1, des-cbc-crc:v4 + Number of keys: 1 + Key: vno 1, aes256-cts-hmac-sha384-192 + MKey: vno 1 Attributes: Policy: [none] diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst index 7dd54f797..444c58bcd 100644 --- a/doc/admin/admin_commands/kdb5_util.rst +++ b/doc/admin/admin_commands/kdb5_util.rst @@ -476,17 +476,17 @@ Examples:: $ kdb5_util tabdump -o keyinfo.txt keyinfo $ cat keyinfo.txt name keyindex kvno enctype salttype salt + K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 - bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 $ sqlite3 sqlite> .mode tabs sqlite> .import keyinfo.txt keyinfo - sqlite> select * from keyinfo where enctype like 'des-cbc-%'; - bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 + sqlite> select * from keyinfo where enctype like 'aes256-%'; + K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 sqlite> .quit - $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt - bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 + $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt + K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 ENVIRONMENT diff --git a/doc/admin/database.rst b/doc/admin/database.rst index 113a680a6..0eb5ccde7 100644 --- a/doc/admin/database.rst +++ b/doc/admin/database.rst @@ -483,7 +483,7 @@ availability. To roll over the master key, follow these steps: $ kdb5_util list_mkeys Master keys for Principal: K/M@KRBTEST.COM - KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 * + KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * #. On the master KDC, run ``kdb5_util use_mkey 1`` to ensure that a master key activation list is present in the database. This step diff --git a/doc/admin/install_appl_srv.rst b/doc/admin/install_appl_srv.rst index 6bae7248f..6b2d8e471 100644 --- a/doc/admin/install_appl_srv.rst +++ b/doc/admin/install_appl_srv.rst @@ -44,18 +44,13 @@ pop, the administrator ``joeadmin`` would issue the command (on ``trillium.mit.edu``):: trillium% kadmin - kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu - pop/trillium.mit.edu - kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - FILE:/etc/krb5.keytab. - kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - FILE:/etc/krb5.keytab. - kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - FILE:/etc/krb5.keytab. - kadmin5: quit + Authenticating as principal root/admin@ATHENA.MIT.EDU with password. + Password for root/admin@ATHENA.MIT.EDU: + kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu + Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. + kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. + kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. + kadmin: quit trillium% If you generate the keytab file on another host, you need to get a diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst index 5d1e70ede..3bec59f96 100644 --- a/doc/admin/install_kdc.rst +++ b/doc/admin/install_kdc.rst @@ -340,7 +340,7 @@ To extract a keytab directly on a replica KDC called Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. + type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. diff --git a/src/man/kadmin.man b/src/man/kadmin.man index 849677258..44859a378 100644 --- a/src/man/kadmin.man +++ b/src/man/kadmin.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KADMIN" "1" " " "1.17" "MIT Kerberos" +.TH "KADMIN" "1" " " "1.18" "MIT Kerberos" .SH NAME kadmin \- Kerberos V5 database administration program . @@ -610,16 +610,16 @@ kadmin: getprinc tlyu/admin Principal: tlyu/admin@BLEEP.COM Expiration date: [never] Last password change: Mon Aug 12 14:16:47 EDT 1996 -Password expiration date: [none] +Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 -Number of keys: 2 -Key: vno 1, des\-cbc\-crc -Key: vno 1, des\-cbc\-crc:v4 +Number of keys: 1 +Key: vno 1, aes256\-cts\-hmac\-sha384\-192 +MKey: vno 1 Attributes: Policy: [none] diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man index 9a36ef0df..46772a236 100644 --- a/src/man/kdb5_util.man +++ b/src/man/kdb5_util.man @@ -529,17 +529,17 @@ Examples: $ kdb5_util tabdump \-o keyinfo.txt keyinfo $ cat keyinfo.txt name keyindex kvno enctype salttype salt +K/M@EXAMPLE.COM 0 1 aes256\-cts\-hmac\-sha384\-192 normal \-1 foo@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1 bar@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1 -bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 $ sqlite3 sqlite> .mode tabs sqlite> .import keyinfo.txt keyinfo -sqlite> select * from keyinfo where enctype like \(aqdes\-cbc\-%\(aq; -bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 +sqlite> select * from keyinfo where enctype like \(aqaes256\-%\(aq; +K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1 sqlite> .quit -$ awk \-F\(aq\et\(aq \(aq$4 ~ /des\-cbc\-/ { print }\(aq keyinfo.txt -bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 +$ awk \-F\(aq\et\(aq \(aq$4 ~ /aes256\-/ { print }\(aq keyinfo.txt +K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1 .ft P .fi .UNINDENT diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif index 13db48609..4224f0850 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif +++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif @@ -512,7 +512,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 ##### Holds the default encryption/salt type combinations of principals for ##### the Realm. Stores in the form of key:salt strings. -##### Example: des-cbc-crc:normal +##### Example: aes256-cts-hmac-sha384-192:normal dn: cn=schema changetype: modify @@ -533,7 +533,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 ##### ONLYREALM ##### SPECIAL ##### AFS3 -##### Example: des-cbc-crc:normal +##### Example: aes256-cts-hmac-sha384-192:normal ##### ##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes ##### attributes. diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema index 52036a178..171f66927 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema +++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema @@ -410,7 +410,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.41.1 ##### Holds the default encryption/salt type combinations of principals for ##### the Realm. Stores in the form of key:salt strings. This will be ##### subset of the supported encryption/salt types. -##### Example: des-cbc-crc:normal +##### Example: aes256-cts-hmac-sha384-192:normal attributetype ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' @@ -428,7 +428,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.42.1 ##### ONLYREALM ##### SPECIAL ##### AFS3 -##### Example: des-cbc-crc:normal +##### Example: aes256-cts-hmac-sha384-192:normal attributetype ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes'