Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009
Nicolas.Williams at sun.com
Fri Jan 30 01:04:06 EST 2009
On Thu, Jan 29, 2009 at 06:38:52PM +0000, Simon Wilkinson wrote:
> I'd like to see some consideration of making this switch more
> granular. Many of us are in a situation where we'd love to get rid of
> single DES, but we have some protocols (AFS in particular, but I'm
> sure there are places with other locally developed protocols which
> have similar problems) which rely upon single DES being available.
> Would it be possible to consider providing a configurable white list,
> where DES can be defined as acceptable for certain service principals?
> This would provide an easy mechanism for sites to disable single DES
> in general, but still have it for a certain limited set of uses.
This is for service ticket encryption keys or service ticket session
keys, right? If so I suggest that this be controlled through metadata
attached to the service principals in the KDB.
Use of supported_enctypes can be made to keep 1DES out in the case of
password / key changes.
Whether clients can be made to send PA-ENC-TIMESTAMP using 1DES
long-term keys [derived from passwords], however, is a purely
client-side issue, and the only way to involve realm administration here
is at realm-join time (and host key change time). My interpretation is
that this project is aimed at this particular issue.
More information about the krbdev