Kerberized Services and Enctypes

Ken Hornstein kenh at
Fri Oct 5 10:30:41 EDT 2007

>How do I know which key types a service can support?

>From the KDC's perspective, there is no way to know that; it falls upon the
admin (you) to know that.

>Am I pretty much relegated to setting up a test KDC
>and pointing test clients at it and then trial&error
>for every single service/server/keytype combination
>to see which ones work and which ones don't?
>Or is there some way I can just check, oh this server
>app is linked against krb5-1.x.y and that supports
>enctypes a, b & c?  Is there even a list of which
>release each enctype was first supported in?

You could probably generate that yourself just by looking at a release
history.  You might even be able to write a small program that uses the
krb5 API to determine which enctypes a particular Kerberos library
supports.  I don't think the number of enctypes you care about is large,
is it?  I mean, I think from a practical perspective what you care
about 3DES, ArcFour, and AES.  I would guess ArcFour and AES came in to
MIT Kerberos around the same time.  Might require a little bit of work
looking at different releases, but it shouldn't take that long.


More information about the Kerberos mailing list