supported_enctypes question

Russ Allbery rra at stanford.edu
Wed Aug 26 15:13:00 EDT 2009


Tom Yu <tlyu at MIT.EDU> writes:
> John Harris <harris at ucdavis.edu> writes:

>> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf 
>> in the supported_enctypes field, I'm still able to create the 
>> des-cbc-crc:normal service principal I need.  In fact, I can kinit -S 
>> for it and obtain it.  My confusion lies in that I thought not having 
>> des-cbc-crc:normal in this configuration line meant the KDC wouldn't 
>> recognize or serve tickets for it.

>> It'd be great to not have to put this in the config line so that later 
>> principals only get the aes256 and rc4 types on them, but I'm not 
>> understanding why I'm successfully obtaining a principal with only the 
>> des encryption type without adding it to this line.

> The "supported_enctypes" configuration variable really means "default
> list of enctype-salttype pairs for which the kadmin subsystem will
> generate keys".  The name is arguably misleading; if anyone has ideas
> about a better name, please suggest one.

default_enctypes, maybe?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list