Notes about Linux authentication and authorization

Updated: 2013-09-15
Created: 2012-12-06

Auth references (120812)

General (120812)

Auth frameworks and implementations (120812)

Kerberos (130915)

Kerberos is a nearly pure authentication system based on:

The only authorization aspect is in the administrative protocol, to delimit the authority of system administrators.

There are at least these implementations of Kerberos:

There are some disparate tables in the documentation and elsewhere on enctypes and salt types (1, 2, 3, 4) here is a merged table:

MIT Kerberos enctypes
code name weak description MIT H5L MS
0x0001 (1) des-cbc-crc Y DES cbc mode with CRC-32 Y Y <Server 2008R2, <7
0x0001 (2) des-cbc-md4 Y DES cbc mode with RSA-MD4 Y Y <Server 2008R2, <7
0x0003 (3) des-cbc-md5 Y DES cbc mode with RSA-MD5 Y Y <Server 2008R2, <7
0x0004 (4) des-cbc-raw Y DES cbc mode raw Y Y <Server 2008R2, <7
0x0008 (8) des-hmac-sha1 Y DES with HMAC/SHA1 Y Y <Server 2008R2, <7
0x0005 (5) des3-cbc-sha1   Triple DES cbc mode with HMAC/sha1 Y Y N
0x0006 (6) des3-cbc-raw Y Triple DES cbc mode raw Y Y N
0x0017 (23) arcfour-hmac ? RC4 with HMAC/MD5 Y Y Y
0x0018 (24) arcfour-hmac-exp Y Exportable RC4 with HMAC/MD5 - - ≥2000
0x0011 (17) aes128-cts-hmac-sha1-96   AES-128 CTS mode with 96-bit SHA-1 HMAC ≥1.3.1 Y ≥VISTA, ≥Server 2008R2
0x0012 (18) aes256-cts-hmac-sha1-96   AES-256 CTS mode with 96-bit SHA-1 HMAC ≥1.3.1 Y ≥7, ≥Server 2008
0x00019 (25) camellia128-cts-cmac   Camellia-128 CTS mode with CMAC ≥1.11    
0x0001a (26) camellia256-cts-cmac   Camellia-256 CTS mode with CMAC ≥1.11    
MIT Kerberos enctype aliases
name alias
des des-cbc-crc des-cbc-md5 and des-cbc-md4
des3 des3-cbc-sha1
des3-hmac-sha1 des3-cbc-sha1
des3-cbc-sha1-kd des3-cbc-sha1
rc4 arcfour-hmac
rc4-hmac arcfour-hmac
arcfour-hmac-md5 arcfour-hmac
aes aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
aes128-cts aes128-cts-hmac-sha1-96
aes256-cts aes256-cts-hmac-sha1-96
camellia camellia256-cts-cmac camellia128-cts-cmac
camellia128-cts camellia128-cts-cmac
camellia256-cts camellia256-cts-cmac

Auth hints

This section is about known hints and issues with various aspects of common filesystems. They can be just inconveniences or limitations or severe performance problems.

Auth hints for passwd (120812)

Auth hints for Kerberos (130119)

Auth hints for MIT Kerberos (121228)

Version independent:

Version dependent:

Some of my notes on auth (120812)

These are pointers to some of the entries in my technical blog where auth is discussed: