krbdev Digest, Vol 33, Issue 6

Henry B. Hotz hotz at
Thu Sep 8 17:59:26 EDT 2005

On Sep 8, 2005, at 9:02 AM, krbdev-request at wrote:

>     Will> And if the admin is trying to limit the skey enctypes for a
>     Will> particular service on a particular system, are they supposed
>     Will> to use the permitted_enctypes krb5.conf parameter?  If so,
>     Will> doesn't this affect all services on that system?
> Yes.  We have not seen a customer need to limit enctypes on a
> per-service (instead of per-system) basis.
> Certainly any policy on what the service will accept needs to be
> validated at the service.

Example:  Solaris 9 machine.

Need des-cbc-{crc,md5} only for host/machine for compatibility with  
built-in Kerberos.

Want rc4/des3/aes for HTTP/machine because it's using independent  
(MIT/Heimdal) libraries.

Want rc4/des3/aes for host/machine also for OpenSSH, but I can't  
exactly do this, can I?

I have a hard time imagining the session key having different  
restrictions than the service key, but maybe the above SSH example  
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list