The Kerberos 5 GSS-API Mechanism
This section describes and lists security features regarding Java Generic Security Services (Java GSS) for Kerberos 5. It also describes the Object Identifier (OID) for the Kerberos V5 mechanism, the encryption types, and the krb5.conf settings supported by Java GSS.
The Generic Security Services Application Program Interface (GSS-API) mechanism is defined by RFC 1964 and supplemented with RFC 4121 under the Internet Standards process.
The OID for the Kerberos V5 Mechanism
According to RFC 1964 section 1, the OID for Java Generic Security Services (Java GSS) for Kerberos 5 is defined as 1.2.840.113554.1.2.2; see also GSSAPI Mechanisms in Java Security Standard Algorithm Names.
Java GSS/Kerberos Supported Encryption Types
The following table lists the preferred order of Java GSS/Kerberos supported encryption types.
Table 7-1 Java GSS/Kerberos Supported Encryption Types
| Name | Aliases | etype Number |
|---|---|---|
| aes256-cts-hmac-sha1-96 | aes256-sha1, aes256-cts | 18 |
| aes128-cts-hmac-sha1-96 | aes128-sha1, aes128-cts | 17 |
| aes256-cts-hmac-sha384-192 | aes256-sha2 | 20 |
| aes128-cts-hmac-sha256-128 | aes128-sha2 | 19 |
| des3-cbc-sha1 | des3-hmac-sha1 | 16 |
| arcfour-hmac-md5 | arcfour-hmac, rc4-hmac | 23 |
| des-cbc-crc | None | 1 |
| des-cbc-md5 | None | 3 |
Note:
The AES-256 encryption type is enabled by default. The following legacy encryption types are disabled by default:
- The DES-based encryption types, including des-cbc-crc and dec-cbc-md5
- des3-cbc-sha1
- arcfour-hmac-md5
A user can restrict the usage of encryption for various purposes in krb5.conf, in the [libdefaults] section.
Supported krb5.conf Settings
The following parameters are supported:
include FILENAME
includedir DIRNAME
[libdefaults]
allow_weak_crypto
canonicalize
clockskew
default_keytab_name
default_realm
default_tgs_enctypes
default_tkt_enctypes
dns_canonicalize_hostname
dns_fallback
dns_lookup_kdc
dns_lookup_realm
extra_addresses
forwardable
kdc_default_options
kdc_timeout
max_retries
no_addresses
noaddresses
permitted_enctypes
proxiable
renew_lifetime
renewable
ticket_lifetime
udp_preference_limit
[realms]
REALM.NAME = {
kdc
kdc_timeout
udp_preference_limit
max_retries
}
[capaths]
A = {
I = .
B = I
}
[domain_realm]
domain=REALM
The following are the defaults for the krb5.conf file parameters:
allow_weak_crypto = false
canonicalize = false
clockskew = 300
default_tgs_enctypes = <value of permitted_enctypes>
default_tkt_enctypes = <value of permitted_enctypes>
dns_canonicalize_hostname = true
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = false
kdc_timeout = 30s
max_retries = 3
no_addresses = true
noaddresses = true
permitted_enctypes = <all encryption types in Table 7-1>
proxiable = false
renewable = false
udp_preference_limit = 1465