Updating encryption types

Phil Dibowitz phil at usc.edu
Thu Jul 7 20:21:19 EDT 2005


On Thu, Jul 07, 2005 at 07:52:52PM -0400, Tom Yu wrote:
> >>>>> "phil" == Phil Dibowitz <phil at usc.edu> writes:
> 
> phil> 2. As expected doing the cpw on the krbtgt/ISD.USC.EDU ticket provides us
> phil> with:
> 
> phil> Key: vno 2, ArcFour with HMAC/md5, no salt
> phil> Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
> phil> Key: vno 2, DES cbc mode with CRC-32, no salt
> phil> Key: vno 1, DES cbc mode with CRC-32, no salt
> 
> phil> and since the kvno is updated, that means I will need to
> phil> regenerage/ktadd the new version of the key stashfile on all
> phil> KDC's used to start the KDC, right?
> 
> No, you will simply need to kprop the updated database.  The krbtgt
> key is not stored in any keytab.  The stashfile stores the master key,
> not the krbtgt key.

That's what I thought, thanks.

I've grabbed my kerb book and my notes and I have a few unrelated questions
that I will ask in another email.

-- 
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050707/0502b6d5/attachment.bin


More information about the Kerberos mailing list