rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity
76d9979dc3
krb5/Modernize-example-enctypes-in-documentation.patch
Robbie Harwood 3f80a77313 Remove support for single-DES and CRC
2019-05-28 15:22:45 -04:00

232 lines
10 KiB
Diff
Raw Blame History

From eb4fb8cb24e6cac194acc2c507b334658fc5431d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 11 Apr 2019 18:25:41 -0400
Subject: [PATCH] Modernize example enctypes in documentation
ticket: 8805 (new)
(cherry picked from commit ccb4a3e4b35fa9ea63af0e98a42eba4aadb099e2)
---
doc/admin/admin_commands/kadmin_local.rst | 8 ++++----
doc/admin/admin_commands/kdb5_util.rst | 10 +++++-----
doc/admin/database.rst | 2 +-
doc/admin/install_appl_srv.rst | 19 +++++++------------
doc/admin/install_kdc.rst | 2 +-
src/man/kadmin.man | 10 +++++-----
src/man/kdb5_util.man | 10 +++++-----
.../kdb/ldap/libkdb_ldap/kerberos.ldif | 4 ++--
.../kdb/ldap/libkdb_ldap/kerberos.schema | 4 ++--
9 files changed, 32 insertions(+), 37 deletions(-)
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 150da1fad..71aa894f6 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -569,16 +569,16 @@ Examples::
Principal: tlyu/admin@BLEEP.COM
Expiration date: [never]
Last password change: Mon Aug 12 14:16:47 EDT 1996
- Password expiration date: [none]
+ Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
- Number of keys: 2
- Key: vno 1, des-cbc-crc
- Key: vno 1, des-cbc-crc:v4
+ Number of keys: 1
+ Key: vno 1, aes256-cts-hmac-sha384-192
+ MKey: vno 1
Attributes:
Policy: [none]
diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst
index 7dd54f797..444c58bcd 100644
--- a/doc/admin/admin_commands/kdb5_util.rst
+++ b/doc/admin/admin_commands/kdb5_util.rst
@@ -476,17 +476,17 @@ Examples::
$ kdb5_util tabdump -o keyinfo.txt keyinfo
$ cat keyinfo.txt
name keyindex kvno enctype salttype salt
+ K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1
foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
$ sqlite3
sqlite> .mode tabs
sqlite> .import keyinfo.txt keyinfo
- sqlite> select * from keyinfo where enctype like 'des-cbc-%';
- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
+ sqlite> select * from keyinfo where enctype like 'aes256-%';
+ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
sqlite> .quit
- $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt
- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
+ $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt
+ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
ENVIRONMENT
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index 113a680a6..0eb5ccde7 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -483,7 +483,7 @@ availability. To roll over the master key, follow these steps:
$ kdb5_util list_mkeys
Master keys for Principal: K/M@KRBTEST.COM
- KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 *
+ KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 *
#. On the master KDC, run ``kdb5_util use_mkey 1`` to ensure that a
master key activation list is present in the database. This step
diff --git a/doc/admin/install_appl_srv.rst b/doc/admin/install_appl_srv.rst
index 6bae7248f..6b2d8e471 100644
--- a/doc/admin/install_appl_srv.rst
+++ b/doc/admin/install_appl_srv.rst
@@ -44,18 +44,13 @@ pop, the administrator ``joeadmin`` would issue the command (on
``trillium.mit.edu``)::
trillium% kadmin
- kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu
- pop/trillium.mit.edu
- kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
- kvno 3, encryption type DES-CBC-CRC added to keytab
- FILE:/etc/krb5.keytab.
- kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
- kvno 3, encryption type DES-CBC-CRC added to keytab
- FILE:/etc/krb5.keytab.
- kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
- kvno 3, encryption type DES-CBC-CRC added to keytab
- FILE:/etc/krb5.keytab.
- kadmin5: quit
+ Authenticating as principal root/admin@ATHENA.MIT.EDU with password.
+ Password for root/admin@ATHENA.MIT.EDU:
+ kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu
+ Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
+ kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
+ kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
+ kadmin: quit
trillium%
If you generate the keytab file on another host, you need to get a
diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst
index 5d1e70ede..3bec59f96 100644
--- a/doc/admin/install_kdc.rst
+++ b/doc/admin/install_kdc.rst
@@ -340,7 +340,7 @@ To extract a keytab directly on a replica KDC called
Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
- type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
+ type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 849677258..44859a378 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KADMIN" "1" " " "1.17" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.18" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.
@@ -610,16 +610,16 @@ kadmin: getprinc tlyu/admin
Principal: tlyu/admin@BLEEP.COM
Expiration date: [never]
Last password change: Mon Aug 12 14:16:47 EDT 1996
-Password expiration date: [none]
+Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
-Number of keys: 2
-Key: vno 1, des\-cbc\-crc
-Key: vno 1, des\-cbc\-crc:v4
+Number of keys: 1
+Key: vno 1, aes256\-cts\-hmac\-sha384\-192
+MKey: vno 1
Attributes:
Policy: [none]
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 9a36ef0df..46772a236 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -529,17 +529,17 @@ Examples:
$ kdb5_util tabdump \-o keyinfo.txt keyinfo
$ cat keyinfo.txt
name keyindex kvno enctype salttype salt
+K/M@EXAMPLE.COM 0 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
foo@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
bar@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
$ sqlite3
sqlite> .mode tabs
sqlite> .import keyinfo.txt keyinfo
-sqlite> select * from keyinfo where enctype like \(aqdes\-cbc\-%\(aq;
-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
+sqlite> select * from keyinfo where enctype like \(aqaes256\-%\(aq;
+K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
sqlite> .quit
-$ awk \-F\(aq\et\(aq \(aq$4 ~ /des\-cbc\-/ { print }\(aq keyinfo.txt
-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
+$ awk \-F\(aq\et\(aq \(aq$4 ~ /aes256\-/ { print }\(aq keyinfo.txt
+K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
.ft P
.fi
.UNINDENT
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
index 13db48609..4224f0850 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
@@ -512,7 +512,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.41.1
##### Holds the default encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings.
-##### Example: des-cbc-crc:normal
+##### Example: aes256-cts-hmac-sha384-192:normal
dn: cn=schema
changetype: modify
@@ -533,7 +533,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.42.1
##### ONLYREALM
##### SPECIAL
##### AFS3
-##### Example: des-cbc-crc:normal
+##### Example: aes256-cts-hmac-sha384-192:normal
#####
##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
##### attributes.
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
index 52036a178..171f66927 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
@@ -410,7 +410,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.41.1
##### Holds the default encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings. This will be
##### subset of the supported encryption/salt types.
-##### Example: des-cbc-crc:normal
+##### Example: aes256-cts-hmac-sha384-192:normal
attributetype ( 2.16.840.1.113719.1.301.4.42.1
NAME 'krbDefaultEncSaltTypes'
@@ -428,7 +428,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.42.1
##### ONLYREALM
##### SPECIAL
##### AFS3
-##### Example: des-cbc-crc:normal
+##### Example: aes256-cts-hmac-sha384-192:normal
attributetype ( 2.16.840.1.113719.1.301.4.43.1
NAME 'krbSupportedEncSaltTypes'
Reference in New Issue View Git Blame Copy Permalink