[29274] in Kerberos
Converting KDC from DES
daemon@ATHENA.MIT.EDU (Mike Friedman)
Sun Feb 17 20:53:33 2008
Date: Sun, 17 Feb 2008 17:51:56 -0800 (PST)
From: Mike Friedman <mikef@ack.berkeley.edu>
To: kerberos@mit.edu
In-Reply-To: <20080217170853.T35078@malcolm.berkeley.edu>
Message-ID: <20080217174930.A35078@malcolm.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[Sorry if two copies of this get sent out. The first one had a return
address other than the one with which I'm subscribed to this list, so I'm
sending this second copy to be sure it gets through at all].
I'm going to be moving our KDC to a new set of servers and a current
release level of MIT K5 (going from 1.4.2 to 1.6.3). If it's feasible,
I'd like to take this opportunity to move from DES to a better encryption
algorithm for our KDCs.
Questions:
1. Can conversion to a new encryption algorithm be done non-disruptively
to users? What about users whose passwords were set back in our MIT K4
days (I'm not sure if we have any of those left - we've been on K5 for
over 8 years - but it's possible we do).
2. What are all the steps involved? Since I'll be moving everything to
new machines, I'm willing to do more than I would if this were just a
release upgrade of my existing Kerberos environment.
3. Assuming this is all doable, any suggestions as to which encryption
algorithm to use?
Thanks.
Mike
_________________________________________________________________________
Mike Friedman Information Services & Technology
mikef@berkeley.edu 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://socrates.berkeley.edu/~mikef http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBR7jkwK0bf1iNr4mCEQLikwCeMhk0dtacxqzhyvhq/vne+HGFZxYAoL+s
ff+u5bRAwLbl1bQmt6U5yZsX
=jPgu
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
