[39003] in Kerberos
Re: supported enctypes: what is the net effect of removing 3des?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Oct 3 13:23:30 2021
To: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <1c83969c-9cbb-143c-eeb8-be196cd78f97@mit.edu>
Date: Sun, 3 Oct 2021 13:21:05 -0400
MIME-Version: 1.0
In-Reply-To: <bb892711-eafc-c111-20a2-f18ecfb23d3e@prime.gushi.org>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/3/21 5:34 AM, Dan Mahoney (Gushi) wrote:
> My reading of "supported_enctypes" is simply that it will stop kadmin/the
> KDC from generating NEW keys of an older type, correct?
Correct. (The KDC doesn't generate long-term keys, so only
kadmind/kadmin.local and kdb5_util are affected. Also note that a
kadmin client can specify an enctype/salttype list when creating new key
sets, in which case supported_enctypes is ignored.)
> That if I do a
> cpw without -keepold, those keys will be removed -- but otherwise, the KDC
> will not act as though a user with 3des-only keys doesn't exist.
Correct. Removing an enctype from permitted_enctypes causes the KDC to
ignore keys of that type, but supported_enctypes is only about new
long-term keys.
> Changing it should not break any authentication or tickets?
Correct.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
