[19948] in Kerberos_V5_Development
Re: MIT krb5 release 1.18 will remove single-DES support
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 3 10:36:02 2019
To: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <af201273-3c72-22ed-5e6f-9bebb000bc2c@mit.edu>
Date: Mon, 3 Jun 2019 10:35:44 -0400
MIME-Version: 1.0
In-Reply-To: <637e8b4d8bdf75200aef84a14436505bd81643b6.camel@ed.ac.uk>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 6/3/19 6:17 AM, Kenneth MacDonald wrote:
> Thanks for clarifying that. Can you further confirm or correct these
> two assumptions I'm making following on from this ...
>
> 1/ Our kadmin/history key has a single-DES and and another enctype, so
> we're safe for now.
Ordinarily kadmin/history only has one key; I guess this kadmin/history
entry was created with krb5-1.2 or earlier.
>From my reading of the code, if kadmin/history has multiple keys, only
the first key is used to create new history entries, and password change
operations will fail out if that key has an unsupported enctype. So if
the first key is des-cbc-crc I would still expect an issue.
> 2/ If we rekey the kadmin/hostory key then all previous password
> history will be unavailable, so users will be able to reuse some
> previously used passwords (those set when the old kadmin/history key
> was in operation).
That is correct.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
