Kerberized Services and Enctypes

John Hascall john at
Fri Oct 5 10:15:05 EDT 2007

I'm looking to start using some string enctypes
for our realm and the one bit which seems trickiest
is service keys.

As I understand how the KDC works, when a client
requests a ticket for a service, the key used to
encrypt the ticket itself (as opposed to the
session and reply keys) is selected as follows:

   1) find the highest kvno in use on the service principal
   2) find the first key in the DB with this kvno 
      where the order of the keys in the DB for a service principal
      was determined by:
       a) those specified on the command, or
       b) the supported_enctypes config file statement
      at the time the principal was created/rekeyed
     (and if -keepold was specified there may be various kvnos)

Thus, if I, for example, add "aes256-hmac-sha1" to the front of the
supported_enctypes config statement and then a service key is created/rekeyed
(w/o explicitly stating a more limited set of enctypes), then tickets for
that service will start coming encrypted using an aes256-hmac-sha1 key.

And if the service doesn't support that key encryption type, users are screwed.

So, finally, to my question...

How do I know which key types a service can support?
Am I pretty much relegated to setting up a test KDC
and pointing test clients at it and then trial&error
for every single service/server/keytype combination
to see which ones work and which ones don't?

Or is there some way I can just check, oh this server
app is linked against krb5-1.x.y and that supports
enctypes a, b & c?  Is there even a list of which
release each enctype was first supported in?

(Assume for the moment that I haven't the power to make
every single service owner update to the latest KRB release)


More information about the Kerberos mailing list