On Sep 11, 2006, at 19:18, Tom Simons wrote: > Is it possible to compile kerberos 1.5 to default to strong > encryption (AES, > 3DES), and eliminate the weaker ones entirely? > I see the ENCTYPEs and CKSUMTYPEs in src/include/krb5/krb5.h - is > it just a > matter of removing/reordering them?
Not as a simple configure-time option, but if you go into the krb5 library sources, there's a macro defined in there which has the compiled-in default list of enctypes; you could remove DES there. Or you could go into the crypto library and delete or alter the table entries where it recognizes the names of the DES-based enctypes. Neither of those will completely cripple all the DES support -- it could still be found by number, e.g. when processing a received message using those types, unless you remove the entries from the table in the crypto library. Even that will still leave (most of?) the bits used by the Kerberos v4 support intact. But you'd certainly make it harder to accidentally use DES. The current compiled-in defaults should cause the stronger enctypes to be preferred, though, unless you've got configuration data someplace (config file, key types in existing database entries) telling it to pick DES first. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
