[draft] End of Support For Kerberos 4

Sam Hartman hartmans at MIT.EDU
Mon Aug 23 14:08:56 EDT 2004

>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

    >> Now I'd like to look seriously at making 3DES my default,
    >> including service keys and the master db key.  Our most
    >> prevalent client software is at the 1.2.2 level and I don't
    >> think I'm going to worry about anything before 1.2.
    >> Is there some documentation on *all* the necessary steps to
    >> convert to using 3DES as a default?  If not, can somone post
    >> that information?

    Ken> AFAICT, there is no way with MIT Kerberos to change the
    Ken> enctype of the master key (believe me, I tried).  The real
    Ken> stickler is that the enctype of the history key is derived
    Ken> from the enctype of the master key, so changing one means you
    Ken> need to change both.  So it's a bit of a pain to write code
    Ken> to do it.  

This is still unfortunately true.  We really should at least add an
option to purge the old history if we're not going to fix this correctly.

    Ken> For reasons which have never been clear to me, you
    Ken> need to have the enctype of the master key listed on the
    Ken> "supported_enctypes" line in kdc.conf, so having a single-DES
    Ken> master key means you need to still support single-DES, which
    Ken> is kinda unfortunate.

I think this was at least intended to be fixed in 1.3.

More information about the krbdev mailing list