Unable to have KDC use different enctype for session/service key

Sam Hartman hartmans at MIT.EDU
Tue Sep 17 13:07:01 EDT 2002

>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

    >> Interesting.  I thought that got fixed about the same time that
    >> we stopped confusing the ticket encryption type with the
    >> session key type.

    Ken> That was probably in the 1.1 timeframe, right?  My "old"
    Ken> clients are 1.0.6-vintage.  Yes, they need to be hunted down
    Ken> and killed, eventually ...  but that's still a ways off.

I suspect you will run into cases in 1.0.6 where clients or servers
will fail even if you have a single des session key with a tripple des


I think you cannot deploy tripple des at all without killing off 1.0.x

    Ken> A code inspection of the new library leads me to believe that
    Ken> if I made the single-DES enctype be first in the credential
    Ken> cache, that would be the one that would be used even by
    Ken> clients supporting 3DES.  Given _that_ (assuming I'm right,
    Ken> and it's certainly possible that I'm not), is there another
    Ken> option?  (Other than restricting session key enctypes on the
    Ken> KDC, which right now seems like my only choice).

Given your stated constraints, if you cannot get multiple tgts in the
cache to work, I think you may in fact have to cripple your KDC.

More information about the krbdev mailing list