default_tgs_enctypes confusion
Sam Hartman
hartmans at MIT.EDU
Fri May 30 12:07:49 EDT 2003
>>>>> "Jason" == Jason C Wells <jcwells1 at highperformance.net> writes:
Jason> The man page for krb5.conf states that default_tgs_enctypes
Jason> is a list session key encryption types that should be
Jason> returned by the KDC. Also, default_tkt_enctypes is a list
Jason> of session key encryption types the should be requested by
Jason> the client.
Jason> So, if I omit an encryption type, then I am not requesting
Jason> that encryption type. Right?
Yes. However, note that you only get to control the session key
encryption type not the ticket encryption type.
For example, consider the following: The key
host/solipsist-nation.suchdamage.org at SUCHDAMAGE.ORG has a
des3-hmac-sha1 service key in the KDC database. So, no matter what I
do as a client, the ticket itself will be encrypted with des3.
However, I as a client can influence what session key is chosen.
For example here is the ticket I get if I restrict
default_tgs_enctypes to include only des-cbc-crc:
05/30/03 12:02:50 05/30/03 21:35:43 host/solipsist-nation.suchdamage.org at SUCHDAMAGE.ORG
Etype (skey, tkt): DES cbc mode with CRC-32, Triple DES cbc mode with HMAC/sha1
Note that the first encryption type is the session key--the key that
the client needs to use to encrypt future traffic with the service.
The second entry is the ticket key--the key that the KDC and the
service share with each other.
More information about the Kerberos
mailing list