[28534] in Kerberos
Re: Kerberized Services and Enctypes
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Fri Oct 5 10:31:20 2007
Message-Id: <200710051430.l95EUfZ8010218@ginger.cmf.nrl.navy.mil>
To: kerberos@mit.edu
In-Reply-To: <17163.1191593705@malison.ait.iastate.edu>
Date: Fri, 05 Oct 2007 10:30:41 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>How do I know which key types a service can support?
>From the KDC's perspective, there is no way to know that; it falls upon the
admin (you) to know that.
>Am I pretty much relegated to setting up a test KDC
>and pointing test clients at it and then trial&error
>for every single service/server/keytype combination
>to see which ones work and which ones don't?
>
>Or is there some way I can just check, oh this server
>app is linked against krb5-1.x.y and that supports
>enctypes a, b & c? Is there even a list of which
>release each enctype was first supported in?
You could probably generate that yourself just by looking at a release
history. You might even be able to write a small program that uses the
krb5 API to determine which enctypes a particular Kerberos library
supports. I don't think the number of enctypes you care about is large,
is it? I mean, I think from a practical perspective what you care
about 3DES, ArcFour, and AES. I would guess ArcFour and AES came in to
MIT Kerberos around the same time. Might require a little bit of work
looking at different releases, but it shouldn't take that long.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos