[24241] in Kerberos
Re: Updating encryption types
daemon@ATHENA.MIT.EDU (Phil Dibowitz)
Thu Jul 7 17:23:55 2005
Date: Thu, 7 Jul 2005 14:22:59 -0700
From: Phil Dibowitz <phil@usc.edu>
To: Kevin Coffman <kwc@citi.umich.edu>
Message-ID: <20050707212259.GK8907@usc.edu>
Mail-Followup-To: Kevin Coffman <kwc@citi.umich.edu>, kerberos@mit.edu,
Toan Nguyen <toan@usc.edu>
Mime-Version: 1.0
In-Reply-To: <20050706232117.B975D1BB57@citi.umich.edu>
cc: Toan Nguyen <toan@usc.edu>
cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============59507876683203365=="
Errors-To: kerberos-bounces@mit.edu
--===============59507876683203365==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="vbzKE9fGfpHIBC6T"
Content-Disposition: inline
--vbzKE9fGfpHIBC6T
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jul 06, 2005 at 07:21:17PM -0400, Kevin Coffman wrote:
> My guess is that your krbtgt/ISD.ISC.EDU@ISD.USC.EDU principal still
> only has a des key. 'cpw -randkey -keepold' on that principal to
> generate other keys.
Nice. That works. I didn't realize that had to be updated. Which leaves me
with a few more questions:
1. What's the difference between the principals krbtgt@ISD.USC.EDU and
krbtgt/ISD.USC.EDU@ISD.USC.EDU ? They both exist, but krbtgt/ISD.USC.EDU se=
ems
to be the ACTUAL ticket granting principal, while krbtgt@ISD.USC.EDU has the
DISALLOW_ALL_TIX attribute.=20
2. As expected doing the cpw on the krbtgt/ISD.USC.EDU ticket provides us
with:
Key: vno 2, ArcFour with HMAC/md5, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
and since the kvno is updated, that means I will need to regenerage/ktadd t=
he
new version of the key stashfile on all KDC's used to start the KDC, right?
3. Anything else I need to be wary of changing this principal and/or the
"other" krbtgt principal?
Thanks.
--=20
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427
--vbzKE9fGfpHIBC6T
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFCzZ0z7lkZ1Iyv898RAmUGAKCbXNM2IeLZxNXia+AGvzjg+BLPMgCfU/Cb
T9BIwsPenDztZUurIpwSeVM=
=NP4c
-----END PGP SIGNATURE-----
--vbzKE9fGfpHIBC6T--
--===============59507876683203365==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============59507876683203365==--
