Getting single DES TGT[was Re: KDC: upgrade to 3DES]

Craig Huckabee huck at spawar.navy.mil
Fri Apr 8 08:14:37 EDT 2005


Jeffrey Altman wrote:

> Craig Huckabee wrote:
> 
>>But even when I set:
>>
>>  default_tgs_enctypes = des-cbc-crc
>>  default_tkt_enctypes = des-cbc-crc
>>
>>on the client, I get a des-cbc-crc session key, but a 3des tkt.  This
>>happens with an MIT 1.3.6 kinit on Linux and Solaris.
>>
>>  Is the KDC just picking the first key type from the list of available
>>encryption types, despite what the client asks for ?  Any suggestions
>>for testing this theory (I've done some ethereal sniffs which lead me to
>>think the KDC is at fault)?
> 
> 
> The choice of the enctype used to encrypt the portion of the ticket
> given to the service is determined by the enctypes configured for the
> service principal.  To restrict tickets being given to a service to
> des-cbc-crc you must remove all enctypes other than des-cbc-crc from
> the service principal in the Kerberos database.
> 

OK - so if I didn't want *anyone* to get a 3DES TGT, I'd have to 
completely remove 3DES from the enctypes list for my krbtgt principal.
Makes sense.


> DO NOT, I repeat, DO NOT attempt to place restrictions on the enctypes
> lists in the krb5.conf file.  You are only going to get yourself into
> deep trouble in the future.  default_tgs_enctypes and
> default_tkt_enctypes should 99.9% of the time never be used by anyone.
> 

   Understood, however those parameters don't appear to work as 
documented either.

   I did some testing last night on a demo realm I have on a private 
network - whatever enctype is listed first for the krbtgt principal is 
the one selected for the tkt no matter what the client asks for.  The 
skey gets selected as expected when default_tgs_enctypes is used.



-- 
/ Craig Huckabee        |          e-mail: huck at spawar.navy.mil /
/ Code 715-CH           |           phone: (843) 218 5653       /
/ SPAWAR Systems Center | close proximity: "Hey You!"           /
/ Charleston, SC        |            ICBM:  32.78N, 79.93W      /



More information about the Kerberos mailing list