IBM Support

Kerberos encryption types enhancements

News


Abstract

The Kerberos configuration commands were updated to include parameters to specify the list of encryption types to add and remove for the specified principal from the keytab entries. The default encryption types when creating a new entry now only include AES algorithms.

Content

You are in: IBM i Technology Updates > IBM i Security > Kerberos encryption types enhancements
The Kerberos configuration commands include parameters to specify the list of encryption types to add and remove for the specified principal from the keytab entries.
The default encryption types when creating a new entry are now *AES256 and *AES128. The default in prior releases is *AES256 *AES128 *CBCDES *DESHMAC *CBCDES3 *ARCFOUR.
The following example command calls show the new parameter and common values in bold.
Kerberos Keytab Entry (ADDKRBKTE) 
  • Add a service principal entry into the default Key Table file for each of the default encryption types.
    • ADDKRBKTE PRINCIPAL('krbsvr400/camolts.myco.com' MYCO.COM) PASSWORD(uneed2chg) VERSION(*GEN) KEYTABFILE(*DFT) ENCTYPE(*DFT) 
  • Add a principal name keytab entry with specific encryption types 
    • ADDKRBKTE PRINCIPAL(‘ferb’ ROCH.MN.COM) PASSWORD(uneed2chg) KEYTABFILE(*DFT) ENCTYPE(*AES128 *AES256) 
Remove Kerberos Keytab Entry (RMVKRBKTE) 
  • Remove all the keytab entries for a principal 
    • RMVKRBKTE PRINCIPAL('krbsvr400/my.gmyco.com' *DFT) KEYTABFILE(*DFT) ENCTYPE(*ALL) 
  • Remove specific keytab entries for a principal, in this example remove the deprecated or less secure algorithms.  
    • RMVKRBKTE PRINCIPAL('krbsvr400/my.gmyco.com' *DFT) KEYTABFILE(*DFT) ENCTYPE(*CBCDES *DESHMAC *CBCDES3 *ARCFOUR) 
QSH keytab command new option 
  • -e The list of encryption types. When adding a key, if this option is not specified, the default encryption types are added: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96. When deleting a key, if this option is not specified, all encryption types are deleted. The list of encryption types must be a single argument in the form of a blank- or comma-separated list.
See the ADDKRBKTE and RMVKRBKTE command descriptions or the QSH keytab command in IBM Documentation.

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z000000cxZdAAI","label":"Authentication"},{"code":"a8m0z0000000CHyAAM","label":"Security"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.6.0"}]

Document Information

Modified date:
08 April 2025

UID

ibm17229786

Page Feedback