Multiple ETYPE-INFO-ENTRY with same etype but different salts

Henry B. Hotz hotz at
Tue Jul 19 22:39:29 EDT 2011

On Jul 18, 2011, at 7:05 AM, krbdev-request at wrote:

>> I would expect the des-cbc-md5:normal to result in an etype-info2 entry
>> with no specified salt (which means the default salt).  I don't know why
>> Java isn't choosing this entry.
> As I said, we skip entry with an empty salt.
> We will fix our problem. My last question would be: so the customer has no workaround now on their KDC side?

The customer could follow current recommended practice and stop using Kerberos 4 and single-DES.  ;-)  ;-)

(You can preserve single-des keys for the AFS service even if you strip them out of everything else.)
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list