Unable to have KDC use different enctype for session/service key

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Sep 17 10:40:01 EDT 2002

>Yes.  default_tgs_enctypes on the client.  After all the client really
>has the best idea of what enctypes the client can handle.

The problem is that I have a choice between:

- Changing something on the KDC, which is fairly reasonable.
- Changing something on 5000+ krb5.conf files scattered all over creation,
  which is a screaming nightmare.  And then when I finally DO want do
  support 3DES/AES for everything, I have a second screaming nightmare
  to change krb5.conf again.  Somehow that seems less than optimal.

I'm missing something here; is there a reason why the session key enctype
should _NOT_ be adjustable on the KDC?  I mean, it seems like the best
solution (really, the only practical solution).


More information about the krbdev mailing list