The Kerberos 5 GSS-API Mechanism

The Generic Security Services Application Program Interface (GSS-API) mechanism is defined by RFC 1964 and supplemented with RFC 4121 under the Internet Standards process.

The OID for the Kerberos V5 Mechanism

According to RFC 1964 section 1, the OID for Java Generic Security Services (Java GSS) for Kerberos 5 is defined as 1.2.840.113554.1.2.2; see also GSSAPI Mechanisms in Java Security Standard Algorithm Names.

Java GSS/Kerberos Supported Encryption Types

The following table lists the preferred order of Java GSS/Kerberos supported encryption types.

A user can restrict the usage of encryption for various purposes in krb5.conf, in the [libdefaults] section.

Supported krb5.conf Settings

The following parameters are supported:

include FILENAME
includedir DIRNAME

[libdefaults]
default_realm
allow_weak_crypto
 
dns_lookup_kdc
dns_lookup_realm
dns_fallback
 
default_checksum
safe_checksum_type
ap_req_checksum_type
default_keytab_name
 
default_tkt_enctypes
permitted_enctypes
default_tgs_enctypes
 
no_addresses
noaddresses
 
renewable
proxiable
forwardable
 
kdc_default_options
clockskew
 
kdc_timeout
udp_preference_limit

max_retries
renew_lifetime
ticket_lifetime
 
[realms]
  REALM.NAME = {
      kdc
      kdc_timeout
      udp_preference_limit
      max_retries
  }
 
[capaths]
  A = {
    I = .
    B = I
  }
 
[domain_realm]
  domain=REALM

The following are the defaults for the krb5.conf file parameters:

no_addresses = true
noaddresses = true
dns_lookup_kdc = true 
dns_lookup_realm = false
allow_weak_crypto = false
kdc_timeout = 30s
max_retries = 3
udp_preference_limit = 1465
clockskew = 300
renewable = false
proxiable = false
forwardable = false