Man 5 page for kdc.conf does not mention acceptable encryption types

Leonardo Borda <email address hidden> writes:

> It would be helpful if the man 5 page for kdc.conf could explicitly
> specify the acceptable encryption types we can use.

> Currently the only way is looking at the source code in the following
> file: /krb5-1.9.1+dfsg/src/lib/crypto/krb/etypes.c

They're listed in the krb5-admin info pages included in krb5-doc under
Configuration Files.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Russ, I thought that they were listed in the admin info pages too.
however, while I see a bunch of examples, searching for the string hmac
in the sources to the admin guide, I don't actually find a complete list
of the encryption types anywhere.
Am I missing something?

Status changed to 'Confirmed' because the bug affects multiple users.

Sam Hartman <email address hidden> writes:

> Russ, I thought that they were listed in the admin info pages too.
> however, while I see a bunch of examples, searching for the string hmac
> in the sources to the admin guide, I don't actually find a complete list
> of the encryption types anywhere.
> Am I missing something?

They could be in definitions.texinfo or or support-enc.texinfo.

They are in fact in support-enc.texinfo.
OK.
So, to the extent there is a bug it's that kdc.conf's manpage doesn't
tell you to go look at the admin guide.
I don't think we want to duplicate the information.

You may want to reconsider adding it to kdc.conf's man page.

I don't believe that in a normal client install that you would get the admin guide. Don't you only get it if you install the admin packages? If you are in a mixed environment as a client and the kerb server is something other than Ubuntu/Debian is it reasonable to expect the user to load a package that they aren't going to use so they can get the info needed to configure their client?

J Sadler <email address hidden> writes:

> You may want to reconsider adding it to kdc.conf's man page.

> I don't believe that in a normal client install that you would get the
> admin guide. Don't you only get it if you install the admin packages?

It's part of the krb5-doc package, which you will often want to install on
a client installation if you're not already deeply familiar with Kerberos.
There are lots of other things related to client configuration that are
better-documented in the texinfo manual than in the man pages. (Man pages
aren't the greatest format for a full-blown reference manual; they don't
have very much useful structure.)

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

>>>>> "J" == J Sadler <email address hidden> writes:

    J> You may want to reconsider adding it to kdc.conf's man page. I
    J> don't believe that in a normal client install that you would get
    J> the admin guide. Don't you only get it if you install the admin
    J> packages?

1) It's in krb5-doc; anyone can install that

2) Really end-users have very little business setting those config
values. With the exception of some unfortunate bugs with NFS, it more
or less means that the Kerberos admin has screwed up if you find
yourself needing to care about enctypes. Which of course does happen,
so if it were in krb5-admin-server not krb5-doc I'd agree with your
point. However, asking people to look on the web or at detailed
documentation for a complex issue seems reasonable to me.

--Sam