Unable to have KDC use different enctype for session/service key
hartmans at MIT.EDU
Tue Sep 17 10:50:01 EDT 2002
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
Ken> The problem is that I have a choice between:
Ken> - Changing something on the KDC, which is fairly reasonable.
No, it's not; you are encoding client configuration information into the KDC.
Ken> - Changing something on 5000+ krb5.conf files scattered all
Ken> over creation, which is a screaming nightmare.
But you already have this issue. You need to upgrade those clients to
support 3des in the first place. I suggest that you add to whatever
process is allowing you to get new kinits out to clients the ability
to get new krb5.confs out to clients.
If you cannot get a new kinit to a client then it will not request 3des at all.
Ken> I'm missing something here; is there a reason why the session
Ken> key enctype should _NOT_ be adjustable on the KDC? I mean,
Ken> it seems like the best solution (really, the only practical
Yes. Configuring enctypes on Kerberos is overly complex as is; we
want to decrease that complexity not increase it. Long term we are
looking at removing some of the configuration options not adding more.
More information about the krbdev