ktadd default enctype
Nico Williams
nico at cryptonector.com
Fri Jun 5 11:14:39 EDT 2015
On Fri, Jun 05, 2015 at 07:24:06AM -0400, John Devitofranceschi wrote:
> How is ktadd *supposed* to figure out which enctype(s) to use?
Long ago I made Solaris' ktadd use the locally supported enctype list as
the default for ktadd, as if they'd been passed via the -e option (which
still works, natch).
> I am seeing an issue where kadmin’s ktadd, if left to its own devices,
> will generate a key with an encryption type that has nothing to do
> with the KDC’s supported_enctype list and ktadd seems to completely
> ignore the local client’s default/permitted enctype settings.
Eh? No, it should not ignore the KDC's supported_enctype list unless it
implements the change I mentioned above.
The supported_enctypes list was meant to apply only when the client
didn't use the -e option.
> KDC supports: des3-cbc-sha1 des-cbc-crc (I know, I know)
>
> Client's krb5.conf tells it to support: des-cbc-crc (I know, I know)
<phaser type="disapproval" level="11">
...
</phaser>
>
> But when we run ktadd the resulting keytab’s key has des-cbc-md5
>
> The client is an Oracle Linux with 1.6.1 krb5 client software.
>
> Also, the KDC is using Sun Solaris 10 Kerberos software (not MIT).
>
> Thanks for any insight!
I bet the Oracle client is using the kadm5_create_principal_3() RPC,
which means you don't get the supported_enctypes.
Try using the -e option.
Nico
--
More information about the Kerberos
mailing list