[draft] End of Support For Kerberos 4
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Aug 23 10:38:19 EDT 2004
>Now I'd like to look seriously at making 3DES my default, including
>service keys and the master db key. Our most prevalent client software is
>at the 1.2.2 level and I don't think I'm going to worry about anything
>before 1.2.
>
>Is there some documentation on *all* the necessary steps to convert to
>using 3DES as a default? If not, can somone post that information?
AFAICT, there is no way with MIT Kerberos to change the enctype of
the master key (believe me, I tried). The real stickler is that the
enctype of the history key is derived from the enctype of the master key,
so changing one means you need to change both. So it's a bit of a pain
to write code to do it. For reasons which have never been clear to me,
you need to have the enctype of the master key listed on the
"supported_enctypes" line in kdc.conf, so having a single-DES master
key means you need to still support single-DES, which is kinda
unfortunate.
--Ken
More information about the krbdev
mailing list