[19339] in Kerberos
Re: default_tgs_enctypes confusion
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri May 30 12:09:39 2003
To: kerberos@mit.edu
From: Sam Hartman <hartmans@MIT.EDU>
Date: Fri, 30 May 2003 12:07:49 -0400
In-Reply-To:
<Pine.BSF.4.44.0305291838000.5533-100000@s1.stradamotorsports.com> (Jason
C. Wells's message of "Thu, 29 May 2003 19:03:43 -0700")
Message-ID: <871xyge7u2.fsf@luminous.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: kerberos-bounces@mit.edu
>>>>> "Jason" == Jason C Wells <jcwells1@highperformance.net> writes:
Jason> The man page for krb5.conf states that default_tgs_enctypes
Jason> is a list session key encryption types that should be
Jason> returned by the KDC. Also, default_tkt_enctypes is a list
Jason> of session key encryption types the should be requested by
Jason> the client.
Jason> So, if I omit an encryption type, then I am not requesting
Jason> that encryption type. Right?
Yes. However, note that you only get to control the session key
encryption type not the ticket encryption type.
For example, consider the following: The key
host/solipsist-nation.suchdamage.org@SUCHDAMAGE.ORG has a
des3-hmac-sha1 service key in the KDC database. So, no matter what I
do as a client, the ticket itself will be encrypted with des3.
However, I as a client can influence what session key is chosen.
For example here is the ticket I get if I restrict
default_tgs_enctypes to include only des-cbc-crc:
05/30/03 12:02:50 05/30/03 21:35:43 host/solipsist-nation.suchdamage.org@SUCHDAMAGE.ORG
Etype (skey, tkt): DES cbc mode with CRC-32, Triple DES cbc mode with HMAC/sha1
Note that the first encryption type is the session key--the key that
the client needs to use to encrypt future traffic with the service.
The second entry is the ticket key--the key that the KDC and the
service share with each other.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
