Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST): > Peter Jordan <[email protected]> writes: > >> Let the option >> master_key_type = des3-hmac-sha1 >> as it is? > > Yes. The master key isn't used on the network and changing it is very > difficult in lenny.
But for new installations a change is not a bad idea? > >> No change in /etc/krb5.conf required? > > Correct. Clients will negotiate the strongest available encryption key > automatically. How can i see that the change has worked? > >> should i renew all host keys? > > Ideally, yes, since that will get them on AES only. If you have any > existing keys that don't have AES keys, you do need to list fallback > enctypes as supported until you've rekeyed them or you won't be able to > authenticate to them. > It seems to work without renewing old keys (host/nfs). How can i see which enctypes the keys have. btw. if i list the principal for me in kadmin.local there are no values for Last successful authentication / Last failed authentication and ailed password attempts although the EQUIRES_PRE_AUTH Attribute is set: get_principal peter Principal: [email protected] [...] Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 Attributes: REQUIRES_PRE_AUTH Policy: [none] Do you know what is wrong? thank you very much! PJ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
