Best (or recommended) practices for updating and modifying encryption types supported on all principals?

Martin B. Smith smithmb at ufl.edu
Thu Apr 12 10:47:52 EDT 2012


Hi all,

I'm looking at updating the list of encryption types we support at the 
University of Florida. I'm doing this mostly in response to a bug 
discussed on the krbdev list that affects various kerberos operations in 
Java:
  http://mailman.mit.edu/pipermail/krbdev/2011-July/010226.html

That all being said, what is the recommended way to adjust the supported 
encryption types for every principal in our KDB? So far, I see the main 
option being dump and load using kdb5_util. Is there an even better way?

Also, here's our current configuration (we require PREAUTH, btw):

supported_enctypes =  des-hmac-sha1:normal des-cbc-md5:normal 
des-cbc-crc:v4 des-cbc-crc:afs3 des3-hmac-sha1:normal arcfour-hmac:normal

Is there anything in the 'must have' category that we should add or 
'must get rid of' category that we should remove? My understanding 
thatis that I should probably remove the single DES items.

Thanks for advance for any advice, war stories, or cautionary tales.
-- 
Martin B. Smith
smithmb at ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida




More information about the Kerberos mailing list