Jeffrey Altman wrote:
Craig Huckabee wrote:
But even when I set:
default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc
on the client, I get a des-cbc-crc session key, but a 3des tkt. This happens with an MIT 1.3.6 kinit on Linux and Solaris.
Is the KDC just picking the first key type from the list of available encryption types, despite what the client asks for ? Any suggestions for testing this theory (I've done some ethereal sniffs which lead me to think the KDC is at fault)?
The choice of the enctype used to encrypt the portion of the ticket given to the service is determined by the enctypes configured for the service principal. To restrict tickets being given to a service to des-cbc-crc you must remove all enctypes other than des-cbc-crc from the service principal in the Kerberos database.
OK - so if I didn't want *anyone* to get a 3DES TGT, I'd have to completely remove 3DES from the enctypes list for my krbtgt principal.
Makes sense.
DO NOT, I repeat, DO NOT attempt to place restrictions on the enctypes lists in the krb5.conf file. You are only going to get yourself into deep trouble in the future. default_tgs_enctypes and default_tkt_enctypes should 99.9% of the time never be used by anyone.
Understood, however those parameters don't appear to work as documented either.
I did some testing last night on a demo realm I have on a private network - whatever enctype is listed first for the krbtgt principal is the one selected for the tkt no matter what the client asks for. The skey gets selected as expected when default_tgs_enctypes is used.
-- / Craig Huckabee | e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: "Hey You!" / / Charleston, SC | ICBM: 32.78N, 79.93W /
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
