Kerberos Migration Question.

Greg Hudson ghudson at mit.edu
Fri Aug 22 11:48:29 EDT 2014


On 08/22/2014 11:35 AM, Stephen Carville (Kerberos List) wrote:
> Everything works as expected -- so far :).  Is it necessary or even
> possible to re-key the database to use the default (aes256-cts?) in
> newer version?

It isn't necessary, but it is possible, using the instructions here:

http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-master-key

You might get a slight KDC performance benefit from using AES instead of
DES3 for the master key, but it's unlikely to be noticeable.


More information about the Kerberos mailing list