default_tgs_enctypes confusion

Sam Hartman hartmans at MIT.EDU
Fri May 30 12:07:49 EDT 2003


>>>>> "Jason" == Jason C Wells <jcwells1 at highperformance.net> writes:

    Jason> The man page for krb5.conf states that default_tgs_enctypes
    Jason> is a list session key encryption types that should be
    Jason> returned by the KDC.  Also, default_tkt_enctypes is a list
    Jason> of session key encryption types the should be requested by
    Jason> the client.

    Jason> So, if I omit an encryption type, then I am not requesting
    Jason> that encryption type.  Right?

Yes.  However, note that you only get to control the session key
encryption type not the ticket encryption type.

For example, consider the following: The key
host/solipsist-nation.suchdamage.org at SUCHDAMAGE.ORG has a
des3-hmac-sha1 service key in the KDC database.  So, no matter what I
do as a client, the ticket itself will be encrypted with des3.
However, I as a client can influence what session key is chosen.

For example here is the ticket I get if I restrict
default_tgs_enctypes to include only des-cbc-crc:



05/30/03 12:02:50  05/30/03 21:35:43  host/solipsist-nation.suchdamage.org at SUCHDAMAGE.ORG
         Etype (skey, tkt): DES cbc mode with CRC-32, Triple DES cbc mode with HMAC/sha1
         

Note that the first encryption type is the session key--the key that
the client needs to use to encrypt future traffic with the service.
The second entry is the ticket key--the key that the KDC and the
service share with each other.



More information about the Kerberos mailing list