Kerberos is a nearly pure authentication system based on:
The only authorization aspect is in the administrative protocol, to delimit the authority of system administrators.
There are at least these implementations of Kerberos:
There are some disparate tables in the documentation and
salt types, here is a merged table:
|0x0001 (1)||des-cbc-crc||Y||DES cbc mode with CRC-32||Y||Y||Y|
|0x0001 (2)||des-cbc-md4||Y||DES cbc mode with RSA-MD4||Y||Y||Y|
|0x0003 (3)||des-cbc-md5||Y||DES cbc mode with RSA-MD5||Y||Y||Y|
|0x0004 (4)||des-cbc-raw||Y||DES cbc mode raw||Y||Y||Y|
|0x0008 (8)||des-hmac-sha1||Y||DES with HMAC/SHA1||Y||Y||Y|
|0x0005 (5)||des3-cbc-sha1||Triple DES cbc mode with HMAC/sha1||Y||Y|
|0x0006 (6)||des3-cbc-raw||Y||Triple DES cbc mode raw||Y||Y||Y|
|0x0017 (23)||arcfour-hmac||?||RC4 with HMAC/MD5||Y||Y||Y|
|0x0018 (24)||arcfour-hmac-exp||Y||Exportable RC4 with HMAC/MD5||-||-||Y|
|0x0011 (17)||aes128-cts-hmac-sha1-96||AES-128 CTS mode with 96-bit SHA-1 HMAC||≥1.3.1||Y||≥VISTA|
|0x0012 (18)||aes256-cts-hmac-sha1-96||AES-256 CTS mode with 96-bit SHA-1 HMAC||≥1.3.1||Y||≥VISTA|
|0x0001 (1)||camellia128-cts-cmac||Camellia-128 CTS mode with CMAC||≥1.11|
|0x0001 (1)||camellia256-cts-cmac||Camellia-256 CTS mode with CMAC||≥1.11|
|des||des-cbc-crc des-cbc-md5 and des-cbc-md4|
This section is about known hints and issues with various aspects of common filesystems. They can be just inconveniences or limitations or severe performance problems.
realmnames are case sensitive, unlike DNS names, so there is a problem when matching DNS names with realm names. The convention is that there is a default mapping from DNS names to all upper case realm names, so the convention is to use all upper case realm names that with the same spelling as related DNS name.
cellnames are case insentitive, and are usually written all lower case and with the same spelling as the related DNS name. There is a default mapping from all lower case cell names to all upper case realm names.
kvnois incremented as a new key instance is created, which means that previous keytab entries need to be updated, because all keytab entries and tickets with previous
kvnos are now invalid. In effect in kadmin the command ktadd is a variant of chpw -randkey.
kvnoand will pick the first
enctypeassociated with the key, where
firstis the one listed first by getprinc, which is the
enctypelisted first in supported_enctypes when the key with that
nonein several messages; other types are no longer much used:
<geekosaur> afs3 would be only used if you needed compatibility with a kaserver, and v4 only if you need compatibility with kerberos 4; there are significant security holes with both, so not at all recommended
enctypesfor the session keys to be issued by the KDC for that principal.
enctypescamellia128-cts-cmac and camellia256-cts-cmac which are not supported by MS-Windows.
enctypesunless allow_weak_crypto is enabled in krb5.conf.
enctypesby family (des, des3, aes, rc4).
These are pointers to some of the entries in my technical blog where auth is discussed: