[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: forcing session key type
email@example.com (Johan Danielsson) writes:
> This is with a MIT KDC?
I think so, though I couldn't find out what version when I tried
> I think you need
> default_etypes = des3-cbc-sha1 des-cbc-crc
> or something like that. des-cbc-md5 *might* work, but last time i
> looked, MIT did funny things with des-cbc-md4 and -md5.
Yes, an MIT chap said there were such problems with MIT krb5 pre
1.2.3. This also affects the current Solaris KDC for what it's worth.
It turns out that
default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5
works, but putting those specs only in the block for that realm no
longer works (though it did previously). Is that reasonable? I was
advised not to use libdefaults because it unnecessarily weakens things
generally, though I doubt I should worry greatly.