[24113] in Kerberos
selecting master key enctype for a new database
daemon@ATHENA.MIT.EDU (Phil Tracy)
Mon Jun 20 13:29:17 2005
Message-Id: <6.2.1.2.2.20050620121542.06455008@lulu.it.northwestern.edu>
Date: Mon, 20 Jun 2005 12:28:33 -0500
To: kerberos@mit.edu
From: Phil Tracy <ptracy@northwestern.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: kerberos-bounces@mit.edu
I need to create a new realm, and I'm wondering if anyone has a
recommendation about which enctype to use for the master key.
The kdb5_util program seems to still default to des-cbc-crc when creating a
database (I'm running MIT Kerberos 1.4.1), and I'm not sure if there's a
good reason for this. I'd like to use one of the new, stronger enctypes
like aes256, but I'm not sure what the pros and cons are.
I suppose that all of the slave KDCs would have to be upgraded to a version
of Kerberos that supports whatever master key enctype I choose, but I don't
anticipate a problem there. Are there client issues? Cross-realm trust
issues? Something else? I don't plan to run anything but MIT Kerberos for
a KDC, but if anyone knows of any gotchas with specific enctypes/vendors,
that might be useful information. Thanks.
--
Phil Tracy
ptracy@northwestern.edu
Information Systems Architecture
Northwestern University Information Technology
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
