Salting is really Encryption types and salting.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20632 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -23,7 +23,7 @@ doing so. It will make life easier for you and everyone else.
|
||||
* Testing clients and servers::
|
||||
* Slave Servers::
|
||||
* Incremental propagation::
|
||||
* Salting::
|
||||
* Encryption types and salting::
|
||||
* Cross realm::
|
||||
* Transit policy::
|
||||
* Setting up DNS::
|
||||
@@ -552,7 +552,7 @@ automate this you will want to start
|
||||
Starting the propagation once an hour from @command{cron} is probably a
|
||||
good idea.
|
||||
|
||||
@node Incremental propagation, Salting, Slave Servers, Setting up a realm
|
||||
@node Incremental propagation, Encryption types and salting, Slave Servers, Setting up a realm
|
||||
@section Incremental propagation
|
||||
|
||||
There is also a newer, and still somewhat experimental, mechanism for
|
||||
@@ -612,9 +612,15 @@ slave# /usr/heimdal/libexec/ipropd-slave master &
|
||||
To manage the iprop log file you should use the @command{iprop-log}
|
||||
command. With it you can dump, truncate and replay the logfile.
|
||||
|
||||
@node Salting, Cross realm, Incremental propagation, Setting up a realm
|
||||
@section Salting
|
||||
@node Encryption types and salting, Cross realm, Incremental propagation, Setting up a realm
|
||||
@section Encryption types and salting
|
||||
@cindex Salting
|
||||
@cindex Encryption types
|
||||
|
||||
The encryption types that the KDC is going to assign by default is
|
||||
possible to change. Since the keys used for user authentication is
|
||||
salted the encryption types are described together with the salt
|
||||
strings.
|
||||
|
||||
Salting is used to make it harder to pre-calculate all possible
|
||||
keys. Using a salt increases the search space to make it almost
|
||||
@@ -623,8 +629,8 @@ public string (the salt) with the password, then sending it through an
|
||||
encryption type specific string-to-key function that will output the
|
||||
fixed size encryption key.
|
||||
|
||||
In Kerberos 5 the salt is determined by the encryption-type, except
|
||||
in some special cases.
|
||||
In Kerberos 5 the salt is determined by the encryption type, except in
|
||||
some special cases.
|
||||
|
||||
In @code{des} there is the Kerberos 4 salt
|
||||
(none at all) or the afs-salt (using the cell (realm in
|
||||
@@ -639,10 +645,11 @@ what salting to use.
|
||||
|
||||
The syntax of @code{[kadmin]default_keys} is
|
||||
@samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
|
||||
type (des, des3, arcfour), @code{salt-type} is the type of salt (pw-salt
|
||||
or afs3-salt), and the salt-string is the string that will be used as
|
||||
salt (remember that if the salt is appended/prepended, the empty salt ""
|
||||
is the same thing as no salt at all).
|
||||
type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
|
||||
@code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
|
||||
salt-string is the string that will be used as salt (remember that if
|
||||
the salt is appended/prepended, the empty salt "" is the same thing as
|
||||
no salt at all).
|
||||
|
||||
Common types of salting include
|
||||
|
||||
@@ -666,7 +673,7 @@ the cell name appended to the password.
|
||||
|
||||
@end itemize
|
||||
|
||||
@node Cross realm, Transit policy, Salting, Setting up a realm
|
||||
@node Cross realm, Transit policy, Encryption types and salting, Setting up a realm
|
||||
@section Cross realm
|
||||
@cindex Cross realm
|
||||
|
||||
|
||||
Reference in New Issue
Block a user