supported enctypes: what is the net effect of removing 3des?

Greg Hudson ghudson at mit.edu
Sun Oct 3 13:21:05 EDT 2021


On 10/3/21 5:34 AM, Dan Mahoney (Gushi) wrote:
> My reading of "supported_enctypes" is simply that it will stop kadmin/the 
> KDC from generating NEW keys of an older type, correct?

Correct.  (The KDC doesn't generate long-term keys, so only
kadmind/kadmin.local and kdb5_util are affected.  Also note that a
kadmin client can specify an enctype/salttype list when creating new key
sets, in which case supported_enctypes is ignored.)

> That if I do a 
> cpw without -keepold, those keys will be removed -- but otherwise, the KDC 
> will not act as though a user with 3des-only keys doesn't exist.

Correct.  Removing an enctype from permitted_enctypes causes the KDC to
ignore keys of that type, but supported_enctypes is only about new
long-term keys.

> Changing it should not break any authentication or tickets?

Correct.


More information about the Kerberos mailing list