Review of ending February 13, 2009

Luke Howard lukeh at
Thu Jan 29 21:33:51 EST 2009

>> Would it be possible to consider providing a configurable white list,
>> where DES can be defined as acceptable for certain service  
>> principals?
>> This would provide an easy mechanism for sites to disable single DES
>> in general, but still have it for a certain limited set of uses.
> We already have this capability, to some degree.  The list of keys in
> the KDB entry for a service principal (approximately) indicate the
> acceptable session key enctypes for that principal.  Suggestions for
> interfaces for making this more manageable are welcome.

In Windows 2008, there is an attribute of each principal which is a  
bitmask specifying which encryption types are allowed for a service  
principal. Support for something like this can be hidden behind the  
backend's implementation of dbe_search_enctype().

-- Luke

More information about the krbdev mailing list