Enctype configuration

Greg Hudson ghudson at MIT.EDU
Sat Jul 25 10:53:21 EDT 2009

On Sat, 2009-07-25 at 06:59 -0400, Sam Hartman wrote:
> Thanks for bringing this up.  Unfortunately there are some interop
> cases where random salt will be a problem.  One is creating
> cross-realm passwords.  Another is creating machine and service
> accounts for Windows.

I thought of the cross-TGT issue last night.  I'm not sure machine and
service accounts for Windows are an issue since rc4-hmac's string-to-key
doesn't use the salt.

At this point, I'm going to carefully replace the drywall I removed and
pretend that I didn't find the nest of bad wiring inside.  I will write
up an early project proposal describing random explicit salts and the
benefits and complications thereof, but I don't think the benefits are
worth the amount of time it would take to resolve the complications at
this point.

For the enctype configuration project, I will just leave the
supported_enctypes variable alone.

More information about the krbdev mailing list