Unable to have KDC use different enctype for session/service key
kenh at cmf.nrl.navy.mil
Tue Sep 17 14:04:01 EDT 2002
>I think that for 1.0.6, the special case of a 3DES TGT service key
>will work, since the code path for TGS_REQ is different from the code
>path for generating other kinds of AP_REQs *sigh*. I believe that
>there is only a problem when 1.0.6 attempts to make use of an
>application ticket with a 3DES service key. It is likely that as long
>as your only relevant 3DES-keyed service is the TGS, things will work.
I think I see what you mean. If a "new" client gets a 3DES service ticket,
and an old client then tries to use that service ticket, it will fail.
Oh, yeah, you're right ... it definately does fail in a non-pretty way.
Hm, well, that's good to know before I start rekeying all of my hosts ...
and it definately makes things more ... "interesting".
More information about the krbdev