Unable to have KDC use different enctype for session/service key
Sam Hartman
hartmans at MIT.EDU
Tue Sep 17 13:07:01 EDT 2002
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>> Interesting. I thought that got fixed about the same time that
>> we stopped confusing the ticket encryption type with the
>> session key type.
Ken> That was probably in the 1.1 timeframe, right? My "old"
Ken> clients are 1.0.6-vintage. Yes, they need to be hunted down
Ken> and killed, eventually ... but that's still a ways off.
I suspect you will run into cases in 1.0.6 where clients or servers
will fail even if you have a single des session key with a tripple des
ticket.
I think you cannot deploy tripple des at all without killing off 1.0.x
clients.
Ken> A code inspection of the new library leads me to believe that
Ken> if I made the single-DES enctype be first in the credential
Ken> cache, that would be the one that would be used even by
Ken> clients supporting 3DES. Given _that_ (assuming I'm right,
Ken> and it's certainly possible that I'm not), is there another
Ken> option? (Other than restricting session key enctypes on the
Ken> KDC, which right now seems like my only choice).
Given your stated constraints, if you cannot get multiple tgts in the
cache to work, I think you may in fact have to cripple your KDC.
More information about the krbdev
mailing list