> Can you please update your documents to indicate that this > significantly decreases the security of your realm? It has the effect > of prefering des instead of des3 for the service tickets issued among > other things.
Good point. If you know that only a few principals are likely to use the des3-less client machines, I think you can limit the scope of the problem to just those principals. Adding either "-e des:normal: or "-requires_preauth" to my add_principal commands allows me to create principals that can authenticate from my SEAM client machine even when des3 is listed first in the config files on the KDC. The first way limits the principal to des, and the second avoids preauthentication for the principal; either one seems to work around the bug. This seems less bad than making a global change that affects the entire realm, if the set of SEAM users isn't large. If some principals are known to use the SEAM clients and only the SEAM clients, then limiting those clients to just des is no real loss, since the client software doesn't support des3 anyway. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
