On 9/11/06, Ken Raeburn <[EMAIL PROTECTED]> wrote: > > On Sep 11, 2006, at 14:26, Rich Frobose wrote: > > I find that when I have a principal with both a DES key and an AES128 > > key then I cannot use kinit to authenticate using a keytab file that > > only has the AES128 key. I would like to know why I cannot > > authenticate through kinit using just my AES128 key. > > Currently kinit will not look at the keytab to come up with a list of > encryption types; it just asks for any encryption type it knows > about, and assumes that the KDC can do the right thing. The KDC > assumes that the keytab will have all of the keys, and picks the > first one (they're in a sort of preference order in the database). > > We could change kinit to look at the keytab for the enctypes, but it > could also be argued that if the KDC and keytab are not consistent, > your configuration is broken.... > > > > In trying to research this I noticed the following in the latest (Aug > > 4, 2006) "Kerberos V5 application programming library" > > documentation. In the description of the krb5_get_in_tkt call it > > says that "valid encryption types are ETYPE_DES_CBC_CRC and > > ETYPE_RAW_DES_CBC". > > That document is very much out of date, I'm afraid. > > > Am I to understand that the API used by kinit will use only DES keys > > to get initial tickets? If so, is this just a current implementation > > problem or is there a more basic technical problem that will not let > > kinit be extended to use an AES128 keys? > > It should work just fine with AES... confusion about the > configuration aside.... > > Ken > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos >
Is it possible to compile kerberos 1.5 to default to strong encryption (AES, 3DES), and eliminate the weaker ones entirely? I see the ENCTYPEs and CKSUMTYPEs in src/include/krb5/krb5.h - is it just a matter of removing/reordering them? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
