On Mon, Jul 04, 2005 at 03:29:11PM -0500, Will Fiveash wrote: > > 1. Changing the enctypes (the previous admin had it hard coded) will cause > > session keys to use the new enctypes, but other keys will not immediately > > see > > effect. > > If you mean creating a new set of enctype keys for service princs will > have an immediate effect on the enctype of sessions keys issued after > the new keys are created then yes (make sure the service systems > krb5.keytab is updated also). I am not sure what you mean by "other > keys".
What i meant was "changing enctypes in kdc.conf and krb5.conf and doing nothing else should at best up the encryption of the session keys. Nothing else will change until password are changed." > > Is there a way to tell what encryption type is being used for the session > > key? I'm assuming the "3 etypes {511 511 1}" means there are three > > encryption > > types defined (which seems right)... but then there's "etypes {rep=1 tkt=1 > > ses=1}" which I interpret to say the session key is type "1" (DES?). > > klist -e should show something like: > $ klist -e > Ticket cache: FILE:/tmp/krb5cc_10224 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 07/04/05 15:12:13 07/04/05 23:12:13 krbtgt/[EMAIL PROTECTED] > renew until 07/11/05 15:12:13, Etype(skey, tkt): AES-128 CTS mode > with 96-bit SHA-1 HMAC, AES-128 CTS mode with 96-bit SHA-1 HMAC Ah, very cool. So in my test environment I have a KDC with a bunch of DES encrypted principals. I changed the "enctypes" on both krb5.conf and kdc.conf from des to rc4, des3, and des, and changed the password on my principal. I now see: Number of keys: 3 Key: vno 10, ArcFour with HMAC/md5, no salt Key: vno 10, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 10, DES cbc mode with CRC-32, no salt Attributes: from kadmin, great (though is that "no salt" supposed to be there?)! However, klist -e shows: [EMAIL PROTECTED] unstale]$ klist -e Ticket cache: FILE:/tmp/krb5cc_36070 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 07/05/05 13:36:31 07/05/05 23:36:31 krbtgt/[EMAIL PROTECTED] Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 [EMAIL PROTECTED] unstale]$ and the logs show: Jul 05 13:36:31 frantic.usc.edu krb5kdc[26284](info): AS_REQ (3 etypes {23 16 1}) 128.125.10.120: ISSUE: authtime 1120595791, etypes {rep=23 tkt=1 ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] Neither the session key, nor my principal key seem to have been using the new encryption... it's not clear to me why... -- Phil Dibowitz Systems Architect and Administrator Enterprise Infrastructure / ISD / USC UCC 180 - 213-821-5427
pgpY8dipmrx5w.pgp
Description: PGP signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos