<no subject>
Jeffrey Altman
jaltman2 at nyc.rr.com
Tue Mar 30 17:48:37 EST 2004
Sam Hartman wrote:
>>>>>>"Mark" == Mark Hendricks <mdh3 at humboldt.edu> writes:
>
> Mark> -e des:normal krbtgt/<AD><REALM>
>
> I'm not sure what problem this is designed to fix, but it sounds like
> a bad idea from a security standpoint. It will certainly mask a large
> class of configuration or interoperability problems.
>
> But pretty much all the Kerberos implementations have advanced to a
> point where with even vaguely modern software, this sort of solution
> is unnecessary.
All the implementations except for the Java Kerberos implementation
and perhaps some implementation that Oracle might be shipping.
Not to say that forcing the use of des-cbc-crc is a good idea, its not.
Just pointing out that there are still interop problems based entirely
in the implemented set of enctypes.
Jeffrey Altman
More information about the Kerberos
mailing list