Converting KDC from DES

[Mike Friedman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Sorry if two copies of this get sent out.  The first one had a return 
address other than the one with which I'm subscribed to this list, so I'm 
sending this second copy to be sure it gets through at all].

I'm going to be moving our KDC to a new set of servers and a current 
release level of MIT K5 (going from 1.4.2 to 1.6.3).  If it's feasible, 
I'd like to take this opportunity to move from DES to a better encryption 
algorithm for our KDCs.

Questions:

1.  Can conversion to a new encryption algorithm be done non-disruptively 
to users?  What about users whose passwords were set back in our MIT K4 
days (I'm not sure if we have any of those left - we've been on K5 for 
over 8 years - but it's possible we do).

2.  What are all the steps involved?  Since I'll be moving everything to 
new machines, I'm willing to do more than I would if this were just a 
release upgrade of my existing Kerberos environment.

3.  Assuming this is all doable, any suggestions as to which encryption 
algorithm to use?

Thanks.

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://socrates.berkeley.edu/~mikef  http://ist.berkeley.edu
_________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBR7jkwK0bf1iNr4mCEQLikwCeMhk0dtacxqzhyvhq/vne+HGFZxYAoL+s
ff+u5bRAwLbl1bQmt6U5yZsX
=jPgu
-----END PGP SIGNATURE-----