Best (or recommended) practices for updating and modifying encryption types supported on all principals?
Martin B. Smith
smithmb at ufl.edu
Thu Apr 12 10:47:52 EDT 2012
Hi all,
I'm looking at updating the list of encryption types we support at the
University of Florida. I'm doing this mostly in response to a bug
discussed on the krbdev list that affects various kerberos operations in
Java:
http://mailman.mit.edu/pipermail/krbdev/2011-July/010226.html
That all being said, what is the recommended way to adjust the supported
encryption types for every principal in our KDB? So far, I see the main
option being dump and load using kdb5_util. Is there an even better way?
Also, here's our current configuration (we require PREAUTH, btw):
supported_enctypes = des-hmac-sha1:normal des-cbc-md5:normal
des-cbc-crc:v4 des-cbc-crc:afs3 des3-hmac-sha1:normal arcfour-hmac:normal
Is there anything in the 'must have' category that we should add or
'must get rid of' category that we should remove? My understanding
thatis that I should probably remove the single DES items.
Thanks for advance for any advice, war stories, or cautionary tales.
--
Martin B. Smith
smithmb at ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida
More information about the Kerberos
mailing list