Review of ending February 13, 2009

Nicolas Williams Nicolas.Williams at
Fri Jan 30 01:04:06 EST 2009

On Thu, Jan 29, 2009 at 06:38:52PM +0000, Simon Wilkinson wrote:
> I'd like to see some consideration of making this switch more  
> granular. Many of us are in a situation where we'd love to get rid of  
> single DES, but we have some protocols (AFS in particular, but I'm  
> sure there are places with other locally developed protocols which  
> have similar problems) which rely upon single DES being available.
> Would it be possible to consider providing a configurable white list,  
> where DES can be defined as acceptable for certain service principals?  
> This would provide an easy mechanism for sites to disable single DES  
> in general, but still have it for a certain limited set of uses.

This is for service ticket encryption keys or service ticket session
keys, right?  If so I suggest that this be controlled through metadata
attached to the service principals in the KDB.

Use of supported_enctypes can be made to keep 1DES out in the case of
password / key changes.

Whether clients can be made to send PA-ENC-TIMESTAMP using 1DES
long-term keys [derived from passwords], however, is a purely
client-side issue, and the only way to involve realm administration here
is at realm-join time (and host key change time).  My interpretation is
that this project is aimed at this particular issue.


More information about the krbdev mailing list