krb5-1.14-beta1 is available

Tom Yu tlyu at
Fri Oct 9 21:28:15 EDT 2015

supported_enctypes also defines the default keysalts for
randomly-generated keys; we don't have a separate setting for keysalts
of randomly-generated keys.

There is currently no change for the AS-REQ enctypes (controlled by
default_tkt_enctypes) in krb5-1.14.


Wang Weijun < at> writes:

> So in kadmin if a principal is created with -pw there are only strong keys but if password is chosen randomly 3DES and RC4 keys will also be generated? I will need to download it to try out.
> Also, is there any change on the client side, say, in a AS-REQ, what is inside the etypes list?
> Thanks
> Max
>> On Oct 10, 2015, at 9:13 AM, Tom Yu <tlyu at> wrote:
>> This is a challenging to explain concisely, but basically in Kerberos,
>> 3DES and RC4 are still reasonably strong for randomly generated keys but
>> not for password-derived ones.
>> krb5-devel/doc is master, not the release branch, but it's close enough
>> for now.
>> -Tom
>> Wang Weijun < at> writes:
>>> You mean all 3DES and RC4 etypes as described in I see 16 and 23 still not marked weak in
>>> BTW, is the krb5-devel/doc pages always synced with the latest public beta?
>>> Thanks
>>> Max
>>>> On Oct 10, 2015, at 4:44 AM, Tom Yu <tlyu at> wrote:
>>>> * Remove the triple-DES and RC4 encryption types from the default
>>>> value of supported_enctypes, which determines the default key and
>>>> salt types for new password-derived keys.  By default, keys will
>>>> only created only for AES128 and AES256.  This mitigates some types
>>>> of password guessing attacks.

More information about the krbdev mailing list