Single-DES in krbtgt/REALM key

Greg Hudson ghudson at MIT.EDU
Wed Aug 21 17:25:22 EDT 2013


On 08/21/2013 04:35 PM, Russ Allbery wrote:
> That doesn't mean that they require DES; if the KDC no longer supports
> issuing DES service keys for the principal they're trying to get a service
> ticket for, they happily (and transparently) fall back to RC4.

Do you mean that the Java application makes multiple AS requests with
different enctype preference lists until one succeeds, or it makes one
AS request with a preference list in backwards order like {des rc4
maybe-other-stuff...}?

A KDC log entry will display the full list of request enctypes, but that
won't help if the Java application is requesting one enctype at a time
and falling back on the client side.

For reference, a sample AS_REQ ISSUE log line:

Aug 21 15:19:27 equal-rites krb5kdc[25539](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1377112767, etypes {rep=18
tkt=18 ses=18}, user at KRBTEST.COM for krbtgt/KRBTEST.COM at KRBTEST.COM



More information about the Kerberos mailing list