[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: forcing session key type

joda@pdc.kth.se (Johan Danielsson) writes:

> This is with a MIT KDC?

I think so, though I couldn't find out what version when I tried

> I think you need
> [libdefaults]
>         default_etypes = des3-cbc-sha1 des-cbc-crc
> or something like that. des-cbc-md5 *might* work, but last time i
> looked, MIT did funny things with des-cbc-md4 and -md5.

Yes, an MIT chap said there were such problems with MIT krb5 pre
1.2.3.  This also affects the current Solaris KDC for what it's worth.

It turns out that 

	default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
	default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5

works, but putting those specs only in the block for that realm no
longer works (though it did previously).  Is that reasonable?  I was
advised not to use libdefaults because it unnecessarily weakens things
generally, though I doubt I should worry greatly.