Enctype configuration
Greg Hudson
ghudson at MIT.EDU
Sat Jul 25 10:53:21 EDT 2009
On Sat, 2009-07-25 at 06:59 -0400, Sam Hartman wrote:
> Thanks for bringing this up. Unfortunately there are some interop
> cases where random salt will be a problem. One is creating
> cross-realm passwords. Another is creating machine and service
> accounts for Windows.
I thought of the cross-TGT issue last night. I'm not sure machine and
service accounts for Windows are an issue since rc4-hmac's string-to-key
doesn't use the salt.
At this point, I'm going to carefully replace the drywall I removed and
pretend that I didn't find the nest of bad wiring inside. I will write
up an early project proposal describing random explicit salts and the
benefits and complications thereof, but I don't think the benefits are
worth the amount of time it would take to resolve the complications at
this point.
For the enctype configuration project, I will just leave the
supported_enctypes variable alone.
More information about the krbdev
mailing list