Single-DES in krbtgt/REALM key
Russ Allbery
rra at stanford.edu
Wed Aug 21 16:35:53 EDT 2013
Christian <chanlists at googlemail.com> writes:
> Hi list,
>> And we should probably add instructions about checking the logs for
>> DES-only clients.
> how about this?
It's probably worth noting that our experience when doing something like
this is that Java applications that use Kerberos (including the most
recent versions of Java) always acquire DES session keys by preference.
That doesn't mean that they require DES; if the KDC no longer supports
issuing DES service keys for the principal they're trying to get a service
ticket for, they happily (and transparently) fall back to RC4.
I didn't do the experiment of gradually disabling enctype after enctype to
see if they would slowly walk up the list of enctypes from weak to strong,
using a strong enctype only as the absolute last resort.
We were going to do an analysis of clients that were getting DES enctypes
and try to fix them before disabling DES, but we got so many false
positives from Java that we just gave up on that idea and just dropped DES
support from nearly all of our service keys without doing that first.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list