Updating encryption types
Phil Dibowitz
phil at usc.edu
Thu Jul 7 17:22:59 EDT 2005
On Wed, Jul 06, 2005 at 07:21:17PM -0400, Kevin Coffman wrote:
> My guess is that your krbtgt/ISD.ISC.EDU at ISD.USC.EDU principal still
> only has a des key. 'cpw -randkey -keepold' on that principal to
> generate other keys.
Nice. That works. I didn't realize that had to be updated. Which leaves me
with a few more questions:
1. What's the difference between the principals krbtgt at ISD.USC.EDU and
krbtgt/ISD.USC.EDU at ISD.USC.EDU ? They both exist, but krbtgt/ISD.USC.EDU seems
to be the ACTUAL ticket granting principal, while krbtgt at ISD.USC.EDU has the
DISALLOW_ALL_TIX attribute.
2. As expected doing the cpw on the krbtgt/ISD.USC.EDU ticket provides us
with:
Key: vno 2, ArcFour with HMAC/md5, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
and since the kvno is updated, that means I will need to regenerage/ktadd the
new version of the key stashfile on all KDC's used to start the KDC, right?
3. Anything else I need to be wary of changing this principal and/or the
"other" krbtgt principal?
Thanks.
--
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050707/c36b31b4/attachment.bin
More information about the Kerberos
mailing list