problem with master_key_type = des3-cbc-sha1?
Will Fiveash
william.fiveash at sun.com
Thu May 16 14:56:00 EDT 2002
On Thu, May 16, 2002 at 02:03:06PM -0400, Sam Hartman wrote:
> Your master keytype *must* be one of your supported_enctypes.
Sure, but isn't des3-cbc-sha1 or des3-hmac-sha1 one of the default
supported_enctypes? In fact, look at kadm5_get_config_params() in
src/lib/kadm5/alt_prof.c. At line 685 there's code to deal with
setting the supported_enctypes option. It appears to me that if the
supported_enctype isn't passed in on the command line or explicitly
set in the kdc.conf file then the default is to use (line 705):
svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
So you shouldn't have to set supported_enctypes in kdc.conf in order
to use master_key_type = des3-cbc-sha1. And now that I'm looking at
src/lib/kadm5/alt_prof.c I notice that the default enctype for the
master_key_type is DEFAULT_KDC_ENCTYPE and that's defined as:
#define DEFAULT_KDC_ENCTYPE ENCTYPE_DES_CBC_CRC
Why isn't the DEFAULT_KDC_ENCTYPE ENCTYPE_DES3_CBC_SHA1? Is this for
better interop? I can understand that but I don't think the default
for the master key should be ENCTYPE_DES_CBC_CRC. Perhaps the code
assigning the default enctype for the master key should be change to
use ENCTYPE_DES3_CBC_SHA1.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list