Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC

Nicolas Williams Nicolas.Williams at sun.com
Thu May 18 20:25:36 EDT 2006


On Thu, May 18, 2006 at 04:12:00PM -0700, Henry B. Hotz wrote:
> On May 16, 2006, at 2:32 PM, kerberos-request at mit.edu wrote:
> On Heimdal you would normally create the entry and then delete the  
> unwanted encryption key types (if necessary).  I think the mechanism  
> is different for Sun or MIT servers:  you specify the enc type you  
> want as part of the add?

Correct.

>                           I wouldn't prohibit des3 across the board  
> just because you have some Sun machines that haven't been upgraded to  
> Solaris 10.

Me either.

If you move your KDC to Solaris 10 you'll get the benefit of that
kadmind heuristic and never (mostly) notice this problem.

(The heuristic, IIRC, is that the randkey operation assumes only 1DES is
desired -- kadmin/ktadd on S10 always uses the randkey_3 operation,
while on S8/9 it always uses randkey.)

Nico
-- 



More information about the Kerberos mailing list