>> That seems a real shame -- "Use 1DES in any homogenous >> environment or you may really hurt yourself."
It's not actually _that_ bad, and you don't want to change your supported_enctypes line. The only _crucial_ thing is that you cannot have service keys on a system that it cannot handle. The clients don't matter ... only the application server (e.g., ktelnetd, sshd, whatever) matters. We have a relatively complicated realm when it comes to enctypes ... some systems, by regulation, cannot have a single-DES enctype on them; other systems, for backwards compatibility with some damn version of Java (don't get me started), can _only_ have a single-DES enctype. It all works fine, and our supported_enctypes line has a bunch of enctypes in it. The only thing that is important is that the single-DES only machines only have single-DES enctypes on them (well, the no-single-DES machines don't have single-DES keys, obviously). >> Sadly, it also doesn't appear one can remove just *one* enctype >> instance of a key (the 3DES one in my case). Yeah, I sure wish MIT could do this. Oh, well. It's only a few seconds to rekey it, though, and it's easy enough to automate it. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos