Ken Hornstein (Contractor) <[EMAIL PROTECTED]> writes: >> I've also found that if I took a client linked with a Kerberos library >> that didn't understand AES keys (1.2 era), pointed it at a ticket cache >> containing an AES TGT, and asked it to get a service ticket, it would >> fail.
> With an AES TGT, or an AES session key as part of the TGT? The latter > would obviously fail; I really thought we had 1.2 era clients with AES > service tickets without any problems, but perhaps my memory is failing > me. A ticket where both skey and tkt were AES. I assume that it would have worked fine if tkt was AES but skey was 3DES. (The specific problem was that we used k5start to maintain a ticket cache which other programs then used to obtain service tickets, k5start was linked with a new enough version of Kerberos that it negotiated an AES skey, and the other programs were linked with an older version of Kerberos that only understood 3DES at best.) -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
