[31413] in Kerberos
Re: supported_enctypes question
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Wed Aug 26 15:49:38 2009
MIME-Version: 1.0
In-Reply-To: <ldv8wh6l6tt.fsf@cathode-dark-space.mit.edu>
Date: Wed, 26 Aug 2009 15:49:11 -0400
Message-ID: <4d569c330908261249m1e9c95d0he859bf1d6d1c00e0@mail.gmail.com>
From: Kevin Coffman <kwc@citi.umich.edu>
To: Tom Yu <tlyu@mit.edu>
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Wed, Aug 26, 2009 at 3:21 PM, Tom Yu<tlyu@mit.edu> wrote:
> Russ Allbery <rra@stanford.edu> writes:
>
>> Tom Yu <tlyu@MIT.EDU> writes:
>>> John Harris <harris@ucdavis.edu> writes:
>>
>>>> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf
>>>> in the supported_enctypes field, I'm still able to create the
>>>> des-cbc-crc:normal service principal I need. In fact, I can kinit -S
>>>> for it and obtain it. My confusion lies in that I thought not having
>>>> des-cbc-crc:normal in this configuration line meant the KDC wouldn't
>>>> recognize or serve tickets for it.
>>
>>>> It'd be great to not have to put this in the config line so that later
>>>> principals only get the aes256 and rc4 types on them, but I'm not
>>>> understanding why I'm successfully obtaining a principal with only the
>>>> des encryption type without adding it to this line.
>>
>>> The "supported_enctypes" configuration variable really means "default
>>> list of enctype-salttype pairs for which the kadmin subsystem will
>>> generate keys". The name is arguably misleading; if anyone has ideas
>>> about a better name, please suggest one.
>>
>> default_enctypes, maybe?
>
> Possibly... though we do already have "default_tkt_enctypes" and
> "default_tgs_enctypes", which mean something completely different.
default_ktadd_enctypes ?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos