[31412] in Kerberos
Re: supported_enctypes question
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Aug 26 15:22:00 2009
To: Russ Allbery <rra@stanford.edu>
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 26 Aug 2009 15:21:18 -0400
In-Reply-To: <874oru5qyr.fsf@windlord.stanford.edu> (Russ Allbery's message of
"Wed, 26 Aug 2009 15:13:00 -0400")
Message-ID: <ldv8wh6l6tt.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery <rra@stanford.edu> writes:
> Tom Yu <tlyu@MIT.EDU> writes:
>> John Harris <harris@ucdavis.edu> writes:
>
>>> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf
>>> in the supported_enctypes field, I'm still able to create the
>>> des-cbc-crc:normal service principal I need. In fact, I can kinit -S
>>> for it and obtain it. My confusion lies in that I thought not having
>>> des-cbc-crc:normal in this configuration line meant the KDC wouldn't
>>> recognize or serve tickets for it.
>
>>> It'd be great to not have to put this in the config line so that later
>>> principals only get the aes256 and rc4 types on them, but I'm not
>>> understanding why I'm successfully obtaining a principal with only the
>>> des encryption type without adding it to this line.
>
>> The "supported_enctypes" configuration variable really means "default
>> list of enctype-salttype pairs for which the kadmin subsystem will
>> generate keys". The name is arguably misleading; if anyone has ideas
>> about a better name, please suggest one.
>
> default_enctypes, maybe?
Possibly... though we do already have "default_tkt_enctypes" and
"default_tgs_enctypes", which mean something completely different.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
