Unable to have KDC use different enctype for session/service key

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Sep 17 14:04:01 EDT 2002

>I think that for 1.0.6, the special case of a 3DES TGT service key
>will work, since the code path for TGS_REQ is different from the code
>path for generating other kinds of AP_REQs *sigh*.  I believe that
>there is only a problem when 1.0.6 attempts to make use of an
>application ticket with a 3DES service key.  It is likely that as long
>as your only relevant 3DES-keyed service is the TGS, things will work.

I think I see what you mean.  If a "new" client gets a 3DES service ticket,
and an old client then tries to use that service ticket, it will fail.
Oh, yeah, you're right ... it definately does fail in a non-pretty way.
Hm, well, that's good to know before I start rekeying all of my hosts ...
and it definately makes things more ... "interesting".


More information about the krbdev mailing list