Behavior change of krb5_rd_req: what error to return

John Hascall john at
Thu Dec 4 08:46:42 EST 2008

> It seems like a very bad idea to have two principals that
> share the same key and are not aliases.

  This raises the question of the Birthday Paradox -- do
  we believe that the sizes of all key types (DES at 56
  would be the smallest?) available in Kerberos are
  large enough that any expected installation of it
  would not have enough keys that two randomly generated
  ones are "likely" to colide?

  And does this also apply to user principals?  Because
  I know darn well that many of our users choose the
  exact same passwords (because the no-salt keys are
  identical).  I think we had one that was shared by
  something like 156 people at one point!


More information about the krbdev mailing list