[31414] in Kerberos
Re: supported_enctypes question
daemon@ATHENA.MIT.EDU (John Harris)
Wed Aug 26 16:07:52 2009
Message-ID: <4A9595FF.60605@ucdavis.edu>
Date: Wed, 26 Aug 2009 13:07:27 -0700
From: John Harris <harris@ucdavis.edu>
MIME-Version: 1.0
To: "kerberos@MIT.EDU" <kerberos@mit.edu>
In-Reply-To: <ldvk50ql7ko.fsf@cathode-dark-space.mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thanks so much Tom; that makes sense to me. I would vote for not
changing it since it's been like, you know, 20 years in the making, but
if we're gonna change it perhaps:
harris_enctypes ? :)
Tom Yu wrote:
> John Harris <harris@ucdavis.edu> writes:
>
>> Greetings,
>>
>> I currently have a MIT KDC where I need to use the des-cbc-crc:normal
>> encryption type on *one* service principal. The rest of my KDC all
>> principals can be aes or rc4. I'm confused as to what I need in my
>> config and what will work.
>>
>> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf
>> in the supported_enctypes field, I'm still able to create the
>> des-cbc-crc:normal service principal I need. In fact, I can kinit -S
>> for it and obtain it. My confusion lies in that I thought not having
>> des-cbc-crc:normal in this configuration line meant the KDC wouldn't
>> recognize or serve tickets for it.
>>
>> It'd be great to not have to put this in the config line so that later
>> principals only get the aes256 and rc4 types on them, but I'm not
>> understanding why I'm successfully obtaining a principal with only the
>> des encryption type without adding it to this line.
>
> The "supported_enctypes" configuration variable really means "default
> list of enctype-salttype pairs for which the kadmin subsystem will
> generate keys". The name is arguably misleading; if anyone has ideas
> about a better name, please suggest one.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos