[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: forcing session key type

To: joda@pdc.kth.se (Johan Danielsson)
Subject: Re: forcing session key type
From: Dave Love <d.love@dl.ac.uk>
Date: 15 May 2002 10:54:58 +0100
Cc: heimdal-discuss@sics.se
In-Reply-To: <xofit5q7eq7.fsf@blubb.pdc.kth.se>
References: <rzqd6vytzf9.fsf@albion.dl.ac.uk><xofit5q7eq7.fsf@blubb.pdc.kth.se>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2

joda@pdc.kth.se (Johan Danielsson) writes:

> This is with a MIT KDC?

I think so, though I couldn't find out what version when I tried
before.

> I think you need
> 
> [libdefaults]
>         default_etypes = des3-cbc-sha1 des-cbc-crc
> 
> or something like that. des-cbc-md5 *might* work, but last time i
> looked, MIT did funny things with des-cbc-md4 and -md5.

Yes, an MIT chap said there were such problems with MIT krb5 pre
1.2.3.  This also affects the current Solaris KDC for what it's worth.

It turns out that 

[libdefaults]
	default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
	default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5

works, but putting those specs only in the block for that realm no
longer works (though it did previously).  Is that reasonable?  I was
advised not to use libdefaults because it unnecessarily weakens things
generally, though I doubt I should worry greatly.

References:
- forcing session key type
  - From: Dave Love <d.love@dl.ac.uk>
- Re: forcing session key type
  - From: joda@pdc.kth.se (Johan Danielsson)

Prev by Date: Re: forcing session key type
Next by Date: PKINIT
Prev by thread: Re: forcing session key type
Next by thread: Real, Legal Protection! Stun Guns! New Cell Phone Stun Gun! Time:10:56:02 AM
Index(es):
- Date
- Thread