supported enctypes: what is the net effect of removing 3des?
Greg Hudson
ghudson at mit.edu
Sun Oct 3 13:21:05 EDT 2021
On 10/3/21 5:34 AM, Dan Mahoney (Gushi) wrote:
> My reading of "supported_enctypes" is simply that it will stop kadmin/the
> KDC from generating NEW keys of an older type, correct?
Correct. (The KDC doesn't generate long-term keys, so only
kadmind/kadmin.local and kdb5_util are affected. Also note that a
kadmin client can specify an enctype/salttype list when creating new key
sets, in which case supported_enctypes is ignored.)
> That if I do a
> cpw without -keepold, those keys will be removed -- but otherwise, the KDC
> will not act as though a user with 3des-only keys doesn't exist.
Correct. Removing an enctype from permitted_enctypes causes the KDC to
ignore keys of that type, but supported_enctypes is only about new
long-term keys.
> Changing it should not break any authentication or tickets?
Correct.
More information about the Kerberos
mailing list