MIT krb5 release 1.18 will remove single-DES support

Greg Hudson ghudson at
Mon Jun 3 10:35:44 EDT 2019

On 6/3/19 6:17 AM, Kenneth MacDonald wrote:
> Thanks for clarifying that.  Can you further confirm or correct these
> two assumptions I'm making following on from this ...
> 1/ Our kadmin/history key has a single-DES and and another enctype, so
> we're safe for now.

Ordinarily kadmin/history only has one key; I guess this kadmin/history
entry was created with krb5-1.2 or earlier.

>From my reading of the code, if kadmin/history has multiple keys, only
the first key is used to create new history entries, and password change
operations will fail out if that key has an unsupported enctype.  So if
the first key is des-cbc-crc I would still expect an issue.

> 2/ If we rekey the kadmin/hostory key then all previous password
> history will be unavailable, so users will be able to reuse some
> previously used passwords (those set when the old kadmin/history key
> was in operation).

That is correct.

More information about the krbdev mailing list