Kerberos is a nearly pure authentication system based on:
The only authorization aspect is in the administrative protocol, to delimit the authority of system administrators.
There are at least these implementations of Kerberos:
|0x0001 (1)||des-cbc-crc||Y||DES cbc mode with CRC-32||Y||Y||<Server 2008R2, <7|
|0x0001 (2)||des-cbc-md4||Y||DES cbc mode with RSA-MD4||Y||Y||<Server 2008R2, <7|
|0x0003 (3)||des-cbc-md5||Y||DES cbc mode with RSA-MD5||Y||Y||<Server 2008R2, <7|
|0x0004 (4)||des-cbc-raw||Y||DES cbc mode raw||Y||Y||<Server 2008R2, <7|
|0x0008 (8)||des-hmac-sha1||Y||DES with HMAC/SHA1||Y||Y||<Server 2008R2, <7|
|0x0005 (5)||des3-cbc-sha1||Triple DES cbc mode with HMAC/sha1||Y||Y||N|
|0x0006 (6)||des3-cbc-raw||Y||Triple DES cbc mode raw||Y||Y||N|
|0x0017 (23)||arcfour-hmac||?||RC4 with HMAC/MD5||Y||Y||Y|
|0x0018 (24)||arcfour-hmac-exp||Y||Exportable RC4 with HMAC/MD5||-||-||≥2000|
|0x0011 (17)||aes128-cts-hmac-sha1-96||AES-128 CTS mode with 96-bit SHA-1 HMAC||≥1.3.1||Y||≥VISTA, ≥Server 2008R2|
|0x0012 (18)||aes256-cts-hmac-sha1-96||AES-256 CTS mode with 96-bit SHA-1 HMAC||≥1.3.1||Y||≥7, ≥Server 2008|
|0x00019 (25)||camellia128-cts-cmac||Camellia-128 CTS mode with CMAC||≥1.11|
|0x0001a (26)||camellia256-cts-cmac||Camellia-256 CTS mode with CMAC||≥1.11|
|des||des-cbc-crc des-cbc-md5 and des-cbc-md4|
This section is about known hints and issues with various aspects of common filesystems. They can be just inconveniences or limitations or severe performance problems.
realmnames are case sensitive, unlike DNS names, so there is a problem when matching DNS names with realm names. The convention is that there is a default mapping from DNS names to all upper case realm names, so the convention is to use all upper case realm names that with the same spelling as related DNS name.
cellnames are case insentitive, and are usually written all lower case and with the same spelling as the related DNS name. There is a default mapping from all lower case cell names to all upper case realm names.
Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix.
enctypesfor the session keys to be issued by the KDC for that principal.
enctypescamellia128-cts-cmac and camellia256-cts-cmac which are not supported by MS-Windows. These types were added experimentally in 1.9 but they did not have official numbers yet and disabled by default.
enctypesunless allow_weak_crypto is enabled in krb5.conf.
enctypesby family (des, des3, aes, rc4).
kvnois incremented as a new key instance is created, which means that previous keytab entries need to be updated, because all keytab entries and tickets with previous
kvnos are now invalid. In effect in kadmin the command ktadd is a variant of chpw -randkey.
kvnoand will pick the first
enctypeassociated with the key, where
firstis the one listed first by getprinc, which is the
enctypelisted first in supported_enctypes when the key with that
nonein several messages; other types are no longer much used:
<geekosaur> afs3 would be only used if you needed compatibility with a kaserver, and v4 only if you need compatibility with kerberos 4; there are significant security holes with both, so not at all recommended
These are pointers to some of the entries in my technical blog where auth is discussed: