Unable to have KDC use different enctype for session/service key
Tom Yu
tlyu at MIT.EDU
Tue Sep 17 13:48:01 EDT 2002
>>>>> "kenh" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>> I suspect you will run into cases in 1.0.6 where clients or servers
>> will fail even if you have a single des session key with a tripple des
>> ticket.
kenh> That's with old clients getting and using 3DES TGTs and
kenh> single-DES session keys. So I think that it does work okay
kenh> (which surprises me, but there you go). If you know of a
kenh> situation where it doesn't work, then please let me know,
kenh> because that of course would change my migration plans
kenh> considerably.
I think that for 1.0.6, the special case of a 3DES TGT service key
will work, since the code path for TGS_REQ is different from the code
path for generating other kinds of AP_REQs *sigh*. I believe that
there is only a problem when 1.0.6 attempts to make use of an
application ticket with a 3DES service key. It is likely that as long
as your only relevant 3DES-keyed service is the TGS, things will work.
---Tom
More information about the krbdev
mailing list