Kerberos packets appear to be larger

[Greg Hudson]

On 08/08/2013 05:48 PM, Jeremy Hunt wrote:
>  From what you say, I presume any of these configuration fields in the 
> krb5.conf field
>          default_tkt_enctypes
>          default_tgs_enctypes
>          permitted_enctypes
>          kdc_req_checksum_type
>          ap_req_checksum_type
>          safe_checksum_type
> would only have an affect once the key was regenerated. Is that correct?

No, I was talking about supported_enctypes specifically, because that
affects the salt types used when a principal's keys are generated.

However, of the parameters you listed above, I think only the client
default_tkt_enctypes would affect the size of the AP-REP, and only in
the sense that including an AES enctype would make the reply smaller by
allowing it to omit a couple of padata elements.

(Well, that's not quite true.  permitted_enctypes on the KDC is used as
a filter for retrieving keys in the database.  If a client principal has
a long-term key whose enctype doesn't appear in permitted-enctypes, it
wouldn't appear in the etype-info padata fields.  But it also wouldn't
work for authenticating, and that would probably be undesirable.)

default_tgs_enctypes and kdc_req_checksum_type are used for TGS
requests, not AS requests.  safe_checksum_type is used for constructing
KRB-SAFE messages, which are rarely used outside of kprop/kpropd.
permitted_enctypes affects a number of things, but primarily session
keys during an AP-REQ exchange.