[draft] End of Support For Kerberos 4

Mike Friedman mikef at ack.Berkeley.EDU
Fri Aug 20 17:40:53 EDT 2004

On Fri, 20 Aug 2004 at 16:19 (-0400), Sam Hartman wrote:

> We recommend any sites that have not already done so begin a migration
> to Kerberos 5.  Kerberos 5 provides support for strong encryption,
> extensibility, much better cross-vendor interoperability and ongoing
> development and enhancement.

I've been running K5 for some time;  my KDC is currently at 1.2.7. But
I've never used 3DES keys because support for them was weak and
inconsistent back when I first went to 1.2.x (older clients wouldn't work,
for one thing).

Now I'd like to look seriously at making 3DES my default, including
service keys and the master db key.  Our most prevalent client software is
at the 1.2.2 level and I don't think I'm going to worry about anything
before 1.2.

Is there some documentation on *all* the necessary steps to convert to
using 3DES as a default?  If not, can somone post that information?



Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu

More information about the krbdev mailing list