[draft] End of Support For Kerberos 4
hartmans at MIT.EDU
Mon Aug 23 14:08:56 EDT 2004
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>> Now I'd like to look seriously at making 3DES my default,
>> including service keys and the master db key. Our most
>> prevalent client software is at the 1.2.2 level and I don't
>> think I'm going to worry about anything before 1.2.
>> Is there some documentation on *all* the necessary steps to
>> convert to using 3DES as a default? If not, can somone post
>> that information?
Ken> AFAICT, there is no way with MIT Kerberos to change the
Ken> enctype of the master key (believe me, I tried). The real
Ken> stickler is that the enctype of the history key is derived
Ken> from the enctype of the master key, so changing one means you
Ken> need to change both. So it's a bit of a pain to write code
Ken> to do it.
This is still unfortunately true. We really should at least add an
option to purge the old history if we're not going to fix this correctly.
Ken> For reasons which have never been clear to me, you
Ken> need to have the enctype of the master key listed on the
Ken> "supported_enctypes" line in kdc.conf, so having a single-DES
Ken> master key means you need to still support single-DES, which
Ken> is kinda unfortunate.
I think this was at least intended to be fixed in 1.3.
More information about the krbdev