use of AES keys with kinit

[Tom Simons]

On 9/11/06, Ken Raeburn <raeburn at mit.edu> wrote:
>
> On Sep 11, 2006, at 14:26, Rich Frobose wrote:
> > I find that when I have a principal with both a DES key and an AES128
> > key then I cannot use kinit to authenticate using a keytab file that
> > only has the AES128 key.  I would like to know why I cannot
> > authenticate through kinit using just my AES128 key.
>
> Currently kinit will not look at the keytab to come up with a list of
> encryption types; it just asks for any encryption type it knows
> about, and assumes that the KDC can do the right thing.  The KDC
> assumes that the keytab will have all of the keys, and picks the
> first one (they're in a sort of preference order in the database).
>
> We could change kinit to look at the keytab for the enctypes, but it
> could also be argued that if the KDC and keytab are not consistent,
> your configuration is broken....
>
>
> > In trying to research this I noticed the following in the latest (Aug
> > 4, 2006) "Kerberos V5 application programming library"
> > documentation.  In the description of the krb5_get_in_tkt call it
> > says that "valid encryption types are ETYPE_DES_CBC_CRC and
> > ETYPE_RAW_DES_CBC".
>
> That document is very much out of date, I'm afraid.
>
> > Am I to understand that the API used by kinit will use only DES keys
> > to get initial tickets?  If so, is this just a current implementation
> > problem or is there a more basic technical problem that will not let
> > kinit be extended to use an AES128 keys?
>
> It should work just fine with AES... confusion about the
> configuration aside....
>
> Ken
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Is it possible to compile kerberos 1.5 to default to strong encryption (AES,
3DES), and eliminate the weaker ones entirely?
I see the ENCTYPEs and CKSUMTYPEs in src/include/krb5/krb5.h - is it just a
matter of removing/reordering them?