The Kerberos 5 GSS-API Mechanism

This section describes and lists security features regarding Java Generic Security Services (Java GSS) for Kerberos 5. It also describes the Object Identifier (OID) for the Kerberos V5 mechanism, the encryption types, and the krb5.conf settings supported by Java GSS.

The Generic Security Services Application Program Interface (GSS-API) mechanism is defined by RFC 1964 and supplemented with RFC 4121 under the Internet Standards process.

The OID for the Kerberos V5 Mechanism

According to RFC 1964 section 1, the OID for Java Generic Security Services (Java GSS) for Kerberos 5 is defined as 1.2.840.113554.1.2.2; see also GSSAPI Mechanisms in Java Security Standard Algorithm Names.

Java GSS/Kerberos Supported Encryption Types

The following table lists the preferred order of Java GSS/Kerberos supported encryption types.

Table 7-1 Java GSS/Kerberos Supported Encryption Types

Name Aliases etype Number
aes256-cts-hmac-sha1-96 aes256-sha1, aes256-cts 18
aes128-cts-hmac-sha1-96 aes128-sha1, aes128-cts 17
aes256-cts-hmac-sha384-192 aes256-sha2 20
aes128-cts-hmac-sha256-128 aes128-sha2 19
des3-cbc-sha1 des3-hmac-sha1 16
arcfour-hmac-md5 arcfour-hmac, rc4-hmac 23
des-cbc-crc None 1
des-cbc-md5 None 3

Note:

The AES-256 encryption type is enabled by default. The DES-based encryption types, including des-cbc-crc and dec-cbc-md5, are disabled by default.

A user can restrict the usage of encryption for various purposes in krb5.conf, in the [libdefaults] section.

Supported krb5.conf Settings

The following parameters are supported:

include FILENAME
includedir DIRNAME

[libdefaults]
default_realm
allow_weak_crypto
 
dns_lookup_kdc
dns_lookup_realm
dns_fallback
 
default_checksum
safe_checksum_type
ap_req_checksum_type
default_keytab_name
 
default_tkt_enctypes
permitted_enctypes
default_tgs_enctypes
 
no_addresses
noaddresses
 
renewable
proxiable
forwardable
 
kdc_default_options
clockskew
 
kdc_timeout
udp_preference_limit

max_retries
renew_lifetime
ticket_lifetime
 
[realms]
  REALM.NAME = {
      kdc
      kdc_timeout
      udp_preference_limit
      max_retries
  }
 
[capaths]
  A = {
    I = .
    B = I
  }
 
[domain_realm]
  domain=REALM

The following are the defaults for the krb5.conf file parameters:

no_addresses = true
noaddresses = true
dns_lookup_kdc = true 
dns_lookup_realm = false
allow_weak_crypto = false
kdc_timeout = 30s
max_retries = 3
udp_preference_limit = 1465
clockskew = 300
renewable = false
proxiable = false
forwardable = false