Apple's kinit is now complaining if a KDC generates a des3 ticket:
Encryption type des3-cbc-sha1(16) used for authentication is weak and will be
deprecated
If one uses the "-e" option, one gets the message:
$ /usr/bin/kinit -e aes128-cts-hmac-sha1-96 test@
test@'s password:
kinit: krb5_get_init_
On 02/12/2018 10:37 AM, John Tang Boyland wrote:
> What's going on? Does MIT kerberos not actually support AES256?
Check the keys for the krbtgt/ principal entry. The ticket will
always be encrypted in the first of those keys. I suspect that key is des3.
To explain your three different results
Thanks very much!
Your information was very much on target.
(I was embarrassed to see that I had set
a 256 key and asked for a 128 key.)
There is the possible error in your reply that
even changing the 'test' principal to
have both aes128 and aes256 keys was not sufficient
to make Apple's kinit w