master key type in kdc.conf

Greg Hudson ghudson at mit.edu
Sun Oct 3 13:15:46 EDT 2021


On 10/3/21 3:36 AM, Dan Mahoney (Gushi) wrote:
> We're in the process of rolling our mkey to get off 3des, and we found 
> that someone in the before-times has put this line in our kdc.conf:
> 
> master_key_type = des3-hmac-sha1
[...]
> Would things break if I just took this line out?  Or would the kdc fail to 
> start because a K/M of the default enctype isn't present yet?

>From a review of the code, I am pretty sure that this setting is only
used when the mkey is entered from the keyboard (including during KDB
creation).  Assuming you are using a stash file, you should be able to
remove this setting.


More information about the Kerberos mailing list