[39002] in Kerberos
Re: master key type in kdc.conf
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Oct 3 13:18:46 2021
To: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <01e503c0-381c-69bf-fa76-72150ec490af@mit.edu>
Date: Sun, 3 Oct 2021 13:15:46 -0400
MIME-Version: 1.0
In-Reply-To: <7dedcb59-f09e-54ed-a0ce-5b5aac3357d@prime.gushi.org>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/3/21 3:36 AM, Dan Mahoney (Gushi) wrote:
> We're in the process of rolling our mkey to get off 3des, and we found
> that someone in the before-times has put this line in our kdc.conf:
>
> master_key_type = des3-hmac-sha1
[...]
> Would things break if I just took this line out? Or would the kdc fail to
> start because a K/M of the default enctype isn't present yet?
>From a review of the code, I am pretty sure that this setting is only
used when the mkey is entered from the keyboard (including during KDB
creation). Assuming you are using a stash file, you should be able to
remove this setting.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
