On Mon, Oct 8, 2012 at 10:05 AM, Jim Green <[email protected]> wrote: > Thanks for the responses, this is very helpful. One question: are you > saying that if our existing user principals have both AES and DES encrypted > keys that it is possible to remove the DES keys without having to force all > our users to change their passwords (e.g. with kdb_util dump/load)? It > seems to me I've read conflicting opinions on that.
You can definitely remove the keys with a Heimdal kdc. It's one of the kadmin commands. It's not so clear to me how to do that with an MIT kdc. > When MSU rolled out Kerberos 5 in 2005 we did force everyone to change their > passwords and my understanding is they all got triple-DES and AES keys in > addition to DES at that time and going forward. > Well, that's definitely step 1 in the process and probably the most user visible source of pain. - Booker C. Bense _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
