Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue May 16 20:40:21 EDT 2006


>> That seems a real shame -- "Use 1DES in any homogenous
>> environment or you may really hurt yourself."

It's not actually _that_ bad, and you don't want to change your
supported_enctypes line.  The only _crucial_ thing is that you
cannot have service keys on a system that it cannot handle.  The
clients don't matter ... only the application server (e.g., ktelnetd,
sshd, whatever) matters.  We have a relatively complicated realm when
it comes to enctypes ... some systems, by regulation, cannot have
a single-DES enctype on them; other systems, for backwards compatibility
with some damn version of Java (don't get me started), can _only_
have a single-DES enctype.  It all works fine, and our supported_enctypes
line has a bunch of enctypes in it.  The only thing that is important
is that the single-DES only machines only have single-DES enctypes
on them (well, the no-single-DES machines don't have single-DES
keys, obviously).

>> Sadly, it also doesn't appear one can remove just *one* enctype
>> instance of a key (the 3DES one in my case).

Yeah, I sure wish MIT could do this.  Oh, well.  It's only a few seconds
to rekey it, though, and it's easy enough to automate it.

--Ken



More information about the Kerberos mailing list