dbentry_supports_enctype and 1DES enctypes

Sam Hartman hartmans at MIT.EDU
Tue Sep 6 14:19:07 EDT 2005

>>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:

    Will> On Mon, Aug 29, 2005 at 11:36:03PM -0400, Jeffrey Altman
    Will> wrote:
    >> Will:
    >> Telnet specifically requests a single DES session key because
    >> the MIT version of Telnet does not support the 3DES TELNET
    >> ENCRYPT option.

    Will> My point is that if the remote host service princ does not
    Will> have 1DES keys then why should the KDC issue 1DES session
    Will> keys to the client that requests a service ticket
    Will> (regardless of whether it's telnet or whatever)?  I can
    Will> imagine an admin thinking that by restricting the service
    Will> princ keys to some stronger enctype they would be
    Will> restricting the session keys generated by KDC for that
    Will> service to that stronger enctype.  Instead, the MIT krb code
    Will> hard codes issuance of 1DES session keys if the client
    Will> requests them (assuming there are no other enctype
    Will> restricting parameters in play).

I think the concern is that we'd rather issue a ticket that may not
work than issue an error response that is guaranteed to work.

Are you seeing cases where we issue a 1des ticket and could have
issued something stronger?


More information about the krbdev mailing list