[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Setting enctype in tickets

is it possible to get a service ticket with explicit encryption type? When I
use 'kgetcred -e des-cbc-crc host/<FQDN>@REALM>' then I get a ticket with
des-cbc-md5. Moreover, when I try '-e des-cbc-md[45]' the KDC complains about
not supported etypes.

After looking at the kgetcred source, I think two various types are mixed
there. If the -e parameter is used, the parsed value is stored in
in.session.keytype and the 'in' struct is later passed to the
krb5_get_credentials function. But the in.session.keytype field is expected to
carry a value of KEYTYPE (i.e. DES, DES3, ARCFOUR) not ENCTYPE. Unfortunately
enough, the domains of these two types are similar (e.g KEYTYPE_DES =
ETYPE_DES_CBC_CRC). This leads to weird results at least of the kgetcred
program. I think either the '-e' parameter should be changed or another
function allowing specification of enctype should be used.

Daniel Kouril