Operating Systems & Kerbros

Phil Hirsch pdh at us.ibm.com
Fri Feb 14 12:27:47 EST 2003

> Can you please update your documents to indicate that this
> significantly decreases the security of your realm? It has the effect
> of prefering des instead of des3 for the service tickets issued among
> other things.

Good point.

If you know that only a few principals are likely to use the des3-less
client machines, I think you can limit the scope of the problem to just
those principals. Adding either "-e des:normal: or "-requires_preauth"
to my add_principal commands allows me to create principals that can
authenticate from my SEAM client machine even when des3 is listed first
in the config files on the KDC. The first way limits the principal to
des, and the second avoids preauthentication for the principal; either
one seems to work around the bug. This seems less bad than making a
global change that affects the entire realm, if the set of SEAM users
isn't large.

If some principals are known to use the SEAM clients and only the
SEAM clients, then limiting those clients to just des is no real loss,
since the client software doesn't support des3 anyway.

More information about the Kerberos mailing list