[19947] in Kerberos_V5_Development
Re: MIT krb5 release 1.18 will remove single-DES support
daemon@ATHENA.MIT.EDU (Kenneth MacDonald)
Mon Jun 3 06:17:55 2019
Message-ID: <637e8b4d8bdf75200aef84a14436505bd81643b6.camel@ed.ac.uk>
From: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
To: Greg Hudson <ghudson@mit.edu>, <krbdev@mit.edu>
Date: Mon, 3 Jun 2019 11:17:33 +0100
In-Reply-To: <096e5d8d-ebd0-e24d-329c-05280eef7f77@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, 2019-05-31 at 18:57 -0400, Greg Hudson wrote:
> On 5/31/19 8:59 AM, Kenneth MacDonald wrote:
> > On Tue, 2019-05-28 at 15:01 -0400, Greg Hudson wrote:
> > > This is advance notice that the MIT krb5 1.18 release, planned
> > > for
> > > near
> > > the end of this year, will remove support for the single-DES
> > > encryption
> > > types
> > Does this impact on the kadmin/history key as documented at
> >
> >
> >
https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-history-key
>
> Yes; if the kadmin/history key uses a single-DES enctype, it will
> need
> to be migrated, or change-password operations on principals with
> policies will experience failures with 1.18.
Thanks for clarifying that. Can you further confirm or correct these
two assumptions I'm making following on from this ...
1/ Our kadmin/history key has a single-DES and and another enctype, so
we're safe for now.
2/ If we rekey the kadmin/hostory key then all previous password
history will be unavailable, so users will be able to reuse some
previously used passwords (those set when the old kadmin/history key
was in operation).
Cheers,
Kenny.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
