Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue May 16 20:40:21 EDT 2006
>> That seems a real shame -- "Use 1DES in any homogenous
>> environment or you may really hurt yourself."
It's not actually _that_ bad, and you don't want to change your
supported_enctypes line. The only _crucial_ thing is that you
cannot have service keys on a system that it cannot handle. The
clients don't matter ... only the application server (e.g., ktelnetd,
sshd, whatever) matters. We have a relatively complicated realm when
it comes to enctypes ... some systems, by regulation, cannot have
a single-DES enctype on them; other systems, for backwards compatibility
with some damn version of Java (don't get me started), can _only_
have a single-DES enctype. It all works fine, and our supported_enctypes
line has a bunch of enctypes in it. The only thing that is important
is that the single-DES only machines only have single-DES enctypes
on them (well, the no-single-DES machines don't have single-DES
keys, obviously).
>> Sadly, it also doesn't appear one can remove just *one* enctype
>> instance of a key (the 3DES one in my case).
Yeah, I sure wish MIT could do this. Oh, well. It's only a few seconds
to rekey it, though, and it's easy enough to automate it.
--Ken
More information about the Kerberos
mailing list