Updating encryption types

Phil Dibowitz phil at usc.edu
Fri Jul 1 05:14:02 EDT 2005


So reading through:

  http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.1/doc/krb5-install/Upgrading-to-Triple-DES-and-RC4-Encryption-Keys.html#Upgrading%20to%20Triple-DES%20and%20RC4%20Encryption%20Keys

(the upgrading encryption types page)... regarding this sentence "Because of
the way the MIT Kerberos database is structured, the KDC will assume that a
service supports only those encryption types for which keys are found in the
database."

That makes me think that even if kdc.conf has:

	default_tgs_enctypes = arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc

and krb5.conf has:

	default_tkt_enctypes = arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc
	default_tgs_enctypes = arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc

Any principals created before the switchover will obviously be stored in the
old encryption type - but during authentication, what encryption type will be
used between the client and the KDC?

I'm a bit confused as to what all will use the new encryption types and what
will use the old encryption types.

Thanks.
-- 
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050701/2015321f/attachment.bin


More information about the Kerberos mailing list