John Dennis wrote:
On 02/25/2012 09:40 AM, Simo Sorce wrote:
Why do we now have all these enctypes? Is it to satify forwarding/proxy
when you don't know a prori which enctype the foreign endpoint will
require?

Because in kerberos each principal can have multiple keys, generally one
per supported (by the KDC) enctype. This is so that a client can use the
strongest enctype it has crypto support for.

Sure, that makes sense. But this is new behavior, what changed?


Nothing, it has always worked this way.

These days you'll only see 4 enctypes as DES is disabled by default.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to