Unable to have KDC use different enctype for session/service key

Tom Yu tlyu at MIT.EDU
Tue Sep 17 13:48:01 EDT 2002

>>>>> "kenh" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

>> I suspect you will run into cases in 1.0.6 where clients or servers
>> will fail even if you have a single des session key with a tripple des
>> ticket.

kenh> That's with old clients getting and using 3DES TGTs and
kenh> single-DES session keys.  So I think that it does work okay
kenh> (which surprises me, but there you go).  If you know of a
kenh> situation where it doesn't work, then please let me know,
kenh> because that of course would change my migration plans
kenh> considerably.

I think that for 1.0.6, the special case of a 3DES TGT service key
will work, since the code path for TGS_REQ is different from the code
path for generating other kinds of AP_REQs *sigh*.  I believe that
there is only a problem when 1.0.6 attempts to make use of an
application ticket with a 3DES service key.  It is likely that as long
as your only relevant 3DES-keyed service is the TGS, things will work.


More information about the krbdev mailing list