Kerberos ETypes
© 2009 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later
| Kerberos ETypes
© 2009 Dennis Leeuw dleeuw at made-it dot com |
encryption type etype section or comment
-----------------------------------------------------------------
des-cbc-crc 1 6.2.3
des-cbc-md4 2 6.2.2
des-cbc-md5 3 6.2.1
[reserved] 4
des3-cbc-md5 5
[reserved] 6
des3-cbc-sha1 7
dsaWithSHA1-CmsOID 9 (pkinit)
md5WithRSAEncryption-CmsOID 10 (pkinit)
sha1WithRSAEncryption-CmsOID 11 (pkinit)
rc2CBC-EnvOID 12 (pkinit)
rsaEncryption-EnvOID 13 (pkinit from PKCS#1 v1.5)
rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 v2.0)
des-ede3-cbc-Env-OID 15 (pkinit)
des3-cbc-sha1-kd 16 6.3
aes128-cts-hmac-sha1-96 17 [KRB5-AES]
aes256-cts-hmac-sha1-96 18 [KRB5-AES]
rc4-hmac 23 (Microsoft)
rc4-hmac-exp 24 (Microsoft)
subkey-keymaterial 65 (opaque; PacketCable)From ntsecapi.h in the Microsoft SDK:
#define
KERB_ETYPE_RC4_MD4 -128 // FFFFFF80
#define
KERB_ETYPE_RC4_PLAIN2 -129
#define KERB_ETYPE_RC4_LM -130
#define KERB_ETYPE_RC4_SHA -131
#define
KERB_ETYPE_DES_PLAIN -132
#define
KERB_ETYPE_RC4_HMAC_OLD -133 // FFFFFF7B
#define
KERB_ETYPE_RC4_PLAIN_OLD -134
#define
KERB_ETYPE_RC4_HMAC_OLD_EXP -135
#define
KERB_ETYPE_RC4_PLAIN_OLD_EXP -136
#define
KERB_ETYPE_RC4_PLAIN -140
#define
KERB_ETYPE_RC4_PLAIN_EXP -141
To make sure that our AD server also has this zone file we allow AD to transfer this file so our named.conf has the following setup:
zone krb5.example.com {
type master;
file internal/com.example.krb5.zone;
check-names ignore;
allow-transfer {
// ad server
192.168.1.2;
};
allow-update {
// test client
192.168.1.3;
};
notify no;
};
You will note that we have an entry for a client to do updates, this is so that the client can put its IP address in the zone file, AD relies on the ability to resolve client host names to IP addresses, and since we use DHCP to supply IP addresses to our clients, we need a way to do automatic DNS updates (RFC2136). The reverse is not needed, at least not that we have found.