Getting single DES TGT[was Re: KDC: upgrade to 3DES]
Jeffrey Altman
jaltman2 at nyc.rr.com
Fri Apr 8 07:44:39 EDT 2005
Craig Huckabee wrote:
> But even when I set:
>
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
>
> on the client, I get a des-cbc-crc session key, but a 3des tkt. This
> happens with an MIT 1.3.6 kinit on Linux and Solaris.
>
> Is the KDC just picking the first key type from the list of available
> encryption types, despite what the client asks for ? Any suggestions
> for testing this theory (I've done some ethereal sniffs which lead me to
> think the KDC is at fault)?
The choice of the enctype used to encrypt the portion of the ticket
given to the service is determined by the enctypes configured for the
service principal. To restrict tickets being given to a service to
des-cbc-crc you must remove all enctypes other than des-cbc-crc from
the service principal in the Kerberos database.
DO NOT, I repeat, DO NOT attempt to place restrictions on the enctypes
lists in the krb5.conf file. You are only going to get yourself into
deep trouble in the future. default_tgs_enctypes and
default_tkt_enctypes should 99.9% of the time never be used by anyone.
Jeffrey Altman
More information about the Kerberos
mailing list