Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009
Luke Howard
lukeh at padl.com
Thu Jan 29 21:33:51 EST 2009
>> Would it be possible to consider providing a configurable white list,
>> where DES can be defined as acceptable for certain service
>> principals?
>> This would provide an easy mechanism for sites to disable single DES
>> in general, but still have it for a certain limited set of uses.
>
> We already have this capability, to some degree. The list of keys in
> the KDB entry for a service principal (approximately) indicate the
> acceptable session key enctypes for that principal. Suggestions for
> interfaces for making this more manageable are welcome.
In Windows 2008, there is an attribute of each principal which is a
bitmask specifying which encryption types are allowed for a service
principal. Support for something like this can be hidden behind the
backend's implementation of dbe_search_enctype().
-- Luke
More information about the krbdev
mailing list