f50ceacadf
Switch to upstream's ksu path patch
232 lines
10 KiB
Diff
232 lines
10 KiB
Diff
From c60e5d66e2aaa9123a333c4f7d5a44fdc735ec66 Mon Sep 17 00:00:00 2001
|
|
From: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Thu, 11 Apr 2019 18:25:41 -0400
|
|
Subject: [PATCH] Modernize example enctypes in documentation
|
|
|
|
ticket: 8805 (new)
|
|
(cherry picked from commit ccb4a3e4b35fa9ea63af0e98a42eba4aadb099e2)
|
|
---
|
|
doc/admin/admin_commands/kadmin_local.rst | 8 ++++----
|
|
doc/admin/admin_commands/kdb5_util.rst | 10 +++++-----
|
|
doc/admin/database.rst | 2 +-
|
|
doc/admin/install_appl_srv.rst | 19 +++++++------------
|
|
doc/admin/install_kdc.rst | 2 +-
|
|
src/man/kadmin.man | 10 +++++-----
|
|
src/man/kdb5_util.man | 10 +++++-----
|
|
.../kdb/ldap/libkdb_ldap/kerberos.ldif | 4 ++--
|
|
.../kdb/ldap/libkdb_ldap/kerberos.schema | 4 ++--
|
|
9 files changed, 32 insertions(+), 37 deletions(-)
|
|
|
|
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
|
|
index 150da1fad..71aa894f6 100644
|
|
--- a/doc/admin/admin_commands/kadmin_local.rst
|
|
+++ b/doc/admin/admin_commands/kadmin_local.rst
|
|
@@ -569,16 +569,16 @@ Examples::
|
|
Principal: tlyu/admin@BLEEP.COM
|
|
Expiration date: [never]
|
|
Last password change: Mon Aug 12 14:16:47 EDT 1996
|
|
- Password expiration date: [none]
|
|
+ Password expiration date: [never]
|
|
Maximum ticket life: 0 days 10:00:00
|
|
Maximum renewable life: 7 days 00:00:00
|
|
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
|
|
Last successful authentication: [never]
|
|
Last failed authentication: [never]
|
|
Failed password attempts: 0
|
|
- Number of keys: 2
|
|
- Key: vno 1, des-cbc-crc
|
|
- Key: vno 1, des-cbc-crc:v4
|
|
+ Number of keys: 1
|
|
+ Key: vno 1, aes256-cts-hmac-sha384-192
|
|
+ MKey: vno 1
|
|
Attributes:
|
|
Policy: [none]
|
|
|
|
diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst
|
|
index 7dd54f797..444c58bcd 100644
|
|
--- a/doc/admin/admin_commands/kdb5_util.rst
|
|
+++ b/doc/admin/admin_commands/kdb5_util.rst
|
|
@@ -476,17 +476,17 @@ Examples::
|
|
$ kdb5_util tabdump -o keyinfo.txt keyinfo
|
|
$ cat keyinfo.txt
|
|
name keyindex kvno enctype salttype salt
|
|
+ K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1
|
|
foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
|
|
bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
|
|
- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
|
|
$ sqlite3
|
|
sqlite> .mode tabs
|
|
sqlite> .import keyinfo.txt keyinfo
|
|
- sqlite> select * from keyinfo where enctype like 'des-cbc-%';
|
|
- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
|
|
+ sqlite> select * from keyinfo where enctype like 'aes256-%';
|
|
+ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
|
|
sqlite> .quit
|
|
- $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt
|
|
- bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
|
|
+ $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt
|
|
+ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
|
|
|
|
|
|
ENVIRONMENT
|
|
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
|
|
index 113a680a6..0eb5ccde7 100644
|
|
--- a/doc/admin/database.rst
|
|
+++ b/doc/admin/database.rst
|
|
@@ -483,7 +483,7 @@ availability. To roll over the master key, follow these steps:
|
|
|
|
$ kdb5_util list_mkeys
|
|
Master keys for Principal: K/M@KRBTEST.COM
|
|
- KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 *
|
|
+ KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 *
|
|
|
|
#. On the master KDC, run ``kdb5_util use_mkey 1`` to ensure that a
|
|
master key activation list is present in the database. This step
|
|
diff --git a/doc/admin/install_appl_srv.rst b/doc/admin/install_appl_srv.rst
|
|
index 6bae7248f..6b2d8e471 100644
|
|
--- a/doc/admin/install_appl_srv.rst
|
|
+++ b/doc/admin/install_appl_srv.rst
|
|
@@ -44,18 +44,13 @@ pop, the administrator ``joeadmin`` would issue the command (on
|
|
``trillium.mit.edu``)::
|
|
|
|
trillium% kadmin
|
|
- kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu
|
|
- pop/trillium.mit.edu
|
|
- kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
|
|
- kvno 3, encryption type DES-CBC-CRC added to keytab
|
|
- FILE:/etc/krb5.keytab.
|
|
- kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
|
|
- kvno 3, encryption type DES-CBC-CRC added to keytab
|
|
- FILE:/etc/krb5.keytab.
|
|
- kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
|
|
- kvno 3, encryption type DES-CBC-CRC added to keytab
|
|
- FILE:/etc/krb5.keytab.
|
|
- kadmin5: quit
|
|
+ Authenticating as principal root/admin@ATHENA.MIT.EDU with password.
|
|
+ Password for root/admin@ATHENA.MIT.EDU:
|
|
+ kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu
|
|
+ Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
|
|
+ kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
|
|
+ kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
|
|
+ kadmin: quit
|
|
trillium%
|
|
|
|
If you generate the keytab file on another host, you need to get a
|
|
diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst
|
|
index 5d1e70ede..3bec59f96 100644
|
|
--- a/doc/admin/install_kdc.rst
|
|
+++ b/doc/admin/install_kdc.rst
|
|
@@ -340,7 +340,7 @@ To extract a keytab directly on a replica KDC called
|
|
Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
|
|
type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
|
|
Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
|
|
- type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
|
|
+ type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
|
|
Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
|
|
type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
|
|
|
|
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
|
|
index 849677258..44859a378 100644
|
|
--- a/src/man/kadmin.man
|
|
+++ b/src/man/kadmin.man
|
|
@@ -1,6 +1,6 @@
|
|
.\" Man page generated from reStructuredText.
|
|
.
|
|
-.TH "KADMIN" "1" " " "1.17" "MIT Kerberos"
|
|
+.TH "KADMIN" "1" " " "1.18" "MIT Kerberos"
|
|
.SH NAME
|
|
kadmin \- Kerberos V5 database administration program
|
|
.
|
|
@@ -610,16 +610,16 @@ kadmin: getprinc tlyu/admin
|
|
Principal: tlyu/admin@BLEEP.COM
|
|
Expiration date: [never]
|
|
Last password change: Mon Aug 12 14:16:47 EDT 1996
|
|
-Password expiration date: [none]
|
|
+Password expiration date: [never]
|
|
Maximum ticket life: 0 days 10:00:00
|
|
Maximum renewable life: 7 days 00:00:00
|
|
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
|
|
Last successful authentication: [never]
|
|
Last failed authentication: [never]
|
|
Failed password attempts: 0
|
|
-Number of keys: 2
|
|
-Key: vno 1, des\-cbc\-crc
|
|
-Key: vno 1, des\-cbc\-crc:v4
|
|
+Number of keys: 1
|
|
+Key: vno 1, aes256\-cts\-hmac\-sha384\-192
|
|
+MKey: vno 1
|
|
Attributes:
|
|
Policy: [none]
|
|
|
|
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
|
|
index 9a36ef0df..46772a236 100644
|
|
--- a/src/man/kdb5_util.man
|
|
+++ b/src/man/kdb5_util.man
|
|
@@ -529,17 +529,17 @@ Examples:
|
|
$ kdb5_util tabdump \-o keyinfo.txt keyinfo
|
|
$ cat keyinfo.txt
|
|
name keyindex kvno enctype salttype salt
|
|
+K/M@EXAMPLE.COM 0 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
|
|
foo@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
|
|
bar@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
|
|
-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
|
|
$ sqlite3
|
|
sqlite> .mode tabs
|
|
sqlite> .import keyinfo.txt keyinfo
|
|
-sqlite> select * from keyinfo where enctype like \(aqdes\-cbc\-%\(aq;
|
|
-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
|
|
+sqlite> select * from keyinfo where enctype like \(aqaes256\-%\(aq;
|
|
+K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
|
|
sqlite> .quit
|
|
-$ awk \-F\(aq\et\(aq \(aq$4 ~ /des\-cbc\-/ { print }\(aq keyinfo.txt
|
|
-bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1
|
|
+$ awk \-F\(aq\et\(aq \(aq$4 ~ /aes256\-/ { print }\(aq keyinfo.txt
|
|
+K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
|
|
index 13db48609..4224f0850 100644
|
|
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
|
|
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
|
|
@@ -512,7 +512,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.41.1
|
|
|
|
##### Holds the default encryption/salt type combinations of principals for
|
|
##### the Realm. Stores in the form of key:salt strings.
|
|
-##### Example: des-cbc-crc:normal
|
|
+##### Example: aes256-cts-hmac-sha384-192:normal
|
|
|
|
dn: cn=schema
|
|
changetype: modify
|
|
@@ -533,7 +533,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.42.1
|
|
##### ONLYREALM
|
|
##### SPECIAL
|
|
##### AFS3
|
|
-##### Example: des-cbc-crc:normal
|
|
+##### Example: aes256-cts-hmac-sha384-192:normal
|
|
#####
|
|
##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
|
|
##### attributes.
|
|
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
|
|
index 52036a178..171f66927 100644
|
|
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
|
|
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
|
|
@@ -410,7 +410,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.41.1
|
|
##### Holds the default encryption/salt type combinations of principals for
|
|
##### the Realm. Stores in the form of key:salt strings. This will be
|
|
##### subset of the supported encryption/salt types.
|
|
-##### Example: des-cbc-crc:normal
|
|
+##### Example: aes256-cts-hmac-sha384-192:normal
|
|
|
|
attributetype ( 2.16.840.1.113719.1.301.4.42.1
|
|
NAME 'krbDefaultEncSaltTypes'
|
|
@@ -428,7 +428,7 @@ attributetype ( 2.16.840.1.113719.1.301.4.42.1
|
|
##### ONLYREALM
|
|
##### SPECIAL
|
|
##### AFS3
|
|
-##### Example: des-cbc-crc:normal
|
|
+##### Example: aes256-cts-hmac-sha384-192:normal
|
|
|
|
attributetype ( 2.16.840.1.113719.1.301.4.43.1
|
|
NAME 'krbSupportedEncSaltTypes'
|