dbentry_supports_enctype and 1DES enctypes
Sam Hartman
hartmans at MIT.EDU
Tue Sep 6 14:19:07 EDT 2005
>>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
Will> On Mon, Aug 29, 2005 at 11:36:03PM -0400, Jeffrey Altman
Will> wrote:
>> Will:
>>
>> Telnet specifically requests a single DES session key because
>> the MIT version of Telnet does not support the 3DES TELNET
>> ENCRYPT option.
Will> My point is that if the remote host service princ does not
Will> have 1DES keys then why should the KDC issue 1DES session
Will> keys to the client that requests a service ticket
Will> (regardless of whether it's telnet or whatever)? I can
Will> imagine an admin thinking that by restricting the service
Will> princ keys to some stronger enctype they would be
Will> restricting the session keys generated by KDC for that
Will> service to that stronger enctype. Instead, the MIT krb code
Will> hard codes issuance of 1DES session keys if the client
Will> requests them (assuming there are no other enctype
Will> restricting parameters in play).
I think the concern is that we'd rather issue a ticket that may not
work than issue an error response that is guaranteed to work.
Are you seeing cases where we issue a 1des ticket and could have
issued something stronger?
--Sam
More information about the krbdev
mailing list