Unable to have KDC use different enctype for session/service key

[Ken Hornstein]

I've upgraded our realm to have a 3DES key.  So far, that works.

I have a mix of old and new clients.  New kinit's will get a TGS service
ticket with a 3DES enctype for both the service ticket and session key.
Old kinit's will get a TGS service ticket with a 3DES enctype for the
service ticket part, and a single-DES enctype for the session key.

What surprised me is that old clients can still use a TGT when the
service ticket was using 3DES (but with a single-DES session key), but
I guess it makes sense when you think about it.  Obviously, when you use
the new kinit, old clients don't work (well, they can't get service tickets,
but they can use service tickets acquired by kvno).

It seems what I want is to use 3DES service tickets for the TGS
whenever possible to get the best protection I can for the TGS key,
but for now restrict the session key to single-DES for all clients
during the transition (I know, it's not a huge gain, but it's still
a gain in my book).  But unless I'm missing something, I don't see
a knob that let's me do it.  The decision seems to be made inside
of select_session_keytype(), but the only thing I can use to restrict
stuff there is the permitted_enctypes entry in krb5.conf, and that's
_too_ coarse; that restricts all enctypes to the given list, whereas I
only want to do it for session keys.  Is there a knob I'm missing?

--Ken