ktadd default enctype

Nico Williams nico at cryptonector.com
Fri Jun 5 11:14:39 EDT 2015


On Fri, Jun 05, 2015 at 07:24:06AM -0400, John Devitofranceschi wrote:
> How is ktadd *supposed* to figure out which enctype(s) to use?

Long ago I made Solaris' ktadd use the locally supported enctype list as
the default for ktadd, as if they'd been passed via the -e option (which
still works, natch).

> I am seeing an issue where kadmin’s ktadd, if left to its own devices,
> will generate a key with an encryption type that has nothing to do
> with the KDC’s supported_enctype list and ktadd seems to completely
> ignore the local client’s default/permitted enctype settings.

Eh?  No, it should not ignore the KDC's supported_enctype list unless it
implements the change I mentioned above.

The supported_enctypes list was meant to apply only when the client
didn't use the -e option.

> KDC supports: des3-cbc-sha1 des-cbc-crc (I know, I know)
> 
> Client's krb5.conf tells it to support: des-cbc-crc (I know, I know) 

<phaser type="disapproval" level="11">
...
</phaser>

> 
> But when we run ktadd the resulting keytab’s key has des-cbc-md5
> 
> The  client is an Oracle Linux with 1.6.1 krb5 client software.
> 
> Also, the KDC is using Sun Solaris 10 Kerberos software (not MIT).
> 
> Thanks for any insight!

I bet the Oracle client is using the kadm5_create_principal_3() RPC,
which means you don't get the supported_enctypes.

Try using the -e option.

Nico
-- 



More information about the Kerberos mailing list