krb enctype presentation available

Will Fiveash William.Fiveash at sun.com
Thu Jun 30 19:25:08 EDT 2005


On Thu, Jun 30, 2005 at 05:21:40PM -0400, Ken Hornstein wrote:
> >I created a presentation PDF a while back that I've placed on the Web
> >which goes into detail on Kerberos enctypes in terms of how they are
> >used, negotiated and controlled via *.conf parameters.  It can be
> >downloaded via my blog:
> >
> >http://blogs.sun.com/roller/page/wfiveash?entry=everything_you_wanted_to_know
> 
> This is a good presentation.  I have two comments:
> 
> - In my experience, encryption type settings are the herpes of the Kerberos
>   world - once they get out "into the wild", they spread magically to
>   other systems and it's damn hard to get rid of them.  If you have
>   your applicatation server enctypes set correctly, you should almost
>   never need them.  I'd stress that setting these enctype settings on
>   the client should only be used rarely (say, you're using MIT Kerberos
>   that supports AES, but one of your developers uses a Java Kerberos
>   implementation that only supports single-DES).  I know you mention this
>   in your last slide, but I'd put something stronger in there.

Yeah, I'll stress doing the "right thing" more as this is one of the
reasons I created the presentation (helping admins understand the entype
knobs to get it right or at least leave well enough alone).

> - I know you know this, but on slide 8 you imply with the diagrams that
>   the ticket in the AS_REP is double-encrypted, and of course it's not;
>   only the session key and a few other bits are encrypted by the user's
>   long-term key.  A minor nit, but I only wanted to point it out for
>   accuracy's sake.

Thanks for the feedback.  I'll tweak the presentation to make it more
accurate.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)


More information about the Kerberos mailing list