supported_enctypes question
Kevin Coffman
kwc at citi.umich.edu
Wed Aug 26 15:49:11 EDT 2009
Wed, Aug 26, 2009 at 3:21 PM, Tom Yu<tlyu at mit.edu> wrote:
> Russ Allbery <rra at stanford.edu> writes:
>
>> Tom Yu <tlyu at MIT.EDU> writes:
>>> John Harris <harris at ucdavis.edu> writes:
>>
>>>> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf
>>>> in the supported_enctypes field, I'm still able to create the
>>>> des-cbc-crc:normal service principal I need. In fact, I can kinit -S
>>>> for it and obtain it. My confusion lies in that I thought not having
>>>> des-cbc-crc:normal in this configuration line meant the KDC wouldn't
>>>> recognize or serve tickets for it.
>>
>>>> It'd be great to not have to put this in the config line so that later
>>>> principals only get the aes256 and rc4 types on them, but I'm not
>>>> understanding why I'm successfully obtaining a principal with only the
>>>> des encryption type without adding it to this line.
>>
>>> The "supported_enctypes" configuration variable really means "default
>>> list of enctype-salttype pairs for which the kadmin subsystem will
>>> generate keys". The name is arguably misleading; if anyone has ideas
>>> about a better name, please suggest one.
>>
>> default_enctypes, maybe?
>
> Possibly... though we do already have "default_tkt_enctypes" and
> "default_tgs_enctypes", which mean something completely different.
default_ktadd_enctypes ?
More information about the Kerberos
mailing list