Unable to have KDC use different enctype for session/service key
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Sep 17 10:40:01 EDT 2002
>Yes. default_tgs_enctypes on the client. After all the client really
>has the best idea of what enctypes the client can handle.
The problem is that I have a choice between:
- Changing something on the KDC, which is fairly reasonable.
- Changing something on 5000+ krb5.conf files scattered all over creation,
which is a screaming nightmare. And then when I finally DO want do
support 3DES/AES for everything, I have a second screaming nightmare
to change krb5.conf again. Somehow that seems less than optimal.
I'm missing something here; is there a reason why the session key enctype
should _NOT_ be adjustable on the KDC? I mean, it seems like the best
solution (really, the only practical solution).
--Ken
More information about the krbdev
mailing list