[24229] in Kerberos
Re: Updating encryption types
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Jul 6 19:35:43 2005
To: kerberos@mit.edu
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 06 Jul 2005 19:35:02 -0400
In-Reply-To: <20050705204853.GE27759@usc.edu> (Phil Dibowitz's message of
"Tue, 5 Jul 2005 13:48:54 -0700")
Message-ID: <ldvoe9fbja1.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: kerberos-bounces@mit.edu
>>>>> "phil" == Phil Dibowitz <phil@usc.edu> writes:
phil> [phil@frantic unstale]$ klist -e
phil> Ticket cache: FILE:/tmp/krb5cc_36070
phil> Default principal: phil@ISD.USC.EDU
phil> Valid starting Expires Service principal
phil> 07/05/05 13:36:31 07/05/05 23:36:31 krbtgt/ISD.USC.EDU@ISD.USC.EDU
phil> Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
This indicates that your KDC is issuing a TGT which has its
ticket-encrypting key of type des-cbc-crc, which implies that the TGT
principal has at best a single-DES enctype.
phil> and the logs show:
phil> Jul 05 13:36:31 frantic.usc.edu krb5kdc[26284](info): AS_REQ (3 etypes {23 16
phil> 1}) 128.125.10.120: ISSUE: authtime 1120595791, etypes {rep=23 tkt=1 ses=1},
phil> phil@ISD.USC.EDU for krbtgt/ISD.USC.EDU@ISD.USC.EDU
phil> Neither the session key, nor my principal key seem to have been using the new
phil> encryption... it's not clear to me why...
It does list "rep=23", which means that the *reply* is encrypted in
arcfour. The client shouldn't care about what the ticket-encrypting
enctype is, though some really old implementations erroneously do
care. The session key choice is limited by the capabilities of the
TGT principal.
---Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
