problem with master_key_type = des3-cbc-sha1?

Sam Hartman hartmans at MIT.EDU
Mon May 20 09:59:01 EDT 2002

>>>>> "Will" == Will Fiveash <william.fiveash at> writes:

    Will> On Thu, May 16, 2002 at 01:55:17PM -0500, Will Fiveash
    Will> wrote:
    >> On Thu, May 16, 2002 at 02:03:06PM -0400, Sam Hartman wrote: >
    >> Your master keytype *must* be one of your supported_enctypes.
    >> Sure, but isn't des3-cbc-sha1 or des3-hmac-sha1 one of the
    >> default supported_enctypes?  In fact, look at
    >> kadm5_get_config_params() in src/lib/kadm5/alt_prof.c.  At line
    >> 685 there's code to deal with setting the supported_enctypes
    >> option.  It appears to me that if the supported_enctype isn't
    >> passed in on the command line or explicitly set in the kdc.conf
    >> file then the default is to use (line 705):
    >> svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");

    Will> I think I understand part of the problem with the default
    Will> value for supported_enctypes.  The default above is set in
    Will> kadm5_get_config_params() but that isn't called by krb5kdc.
    Will> krb5_read_realm_params() is called by krb5kdc but that
    Will> doesn't set a default value for supported_enctypes.

One of the significant deficiencies in MIT Kerberos is its default

If you want to contribute code to improve this, your contributions
would be welcome.  

Fixing defaults is something we care about, but I don't currently know
where it stands on our priorities.

More information about the krbdev mailing list