Updating encryption types

Tom Yu tlyu at MIT.EDU
Thu Jul 7 19:52:52 EDT 2005


>>>>> "phil" == Phil Dibowitz <phil at usc.edu> writes:

phil> 2. As expected doing the cpw on the krbtgt/ISD.USC.EDU ticket provides us
phil> with:

phil> Key: vno 2, ArcFour with HMAC/md5, no salt
phil> Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
phil> Key: vno 2, DES cbc mode with CRC-32, no salt
phil> Key: vno 1, DES cbc mode with CRC-32, no salt

phil> and since the kvno is updated, that means I will need to
phil> regenerage/ktadd the new version of the key stashfile on all
phil> KDC's used to start the KDC, right?

No, you will simply need to kprop the updated database.  The krbtgt
key is not stored in any keytab.  The stashfile stores the master key,
not the krbtgt key.

---Tom


More information about the Kerberos mailing list