[1173] in Kerberos_V5_Development
MD5 by default?
daemon@ATHENA.MIT.EDU (Richard Basch)
Wed May 15 01:40:11 1996
Date: Wed, 15 May 1996 01:39:30 -0400
To: tytso@MIT.EDU, krbdev@MIT.EDU
From: "Richard Basch" <basch@lehman.com>
I have the following in my /etc/krb5.conf:
[libdefaults]
ticket_lifetime = 1440
ccache_type = 4
default_realm = Lehman.COM
default_domain = LEHMAN.COM
krb4_srvtab = /etc/kerberosIV/srvtab
krb4_config = /etc/kerberosIV/krb.conf
default_tkt_enctypes = des3-cbc-sha des-cbc-md5
default_tgs_enctypes = des3-cbc-sha des-cbc-md5
and my database primarily consists of V4 keys (des-cbc-crc:v4)
On the machines for which I have created a keytab, I wanted to start
using des-cbc-md5 for the k5 sessions (even though md5 may be on its way
out, it is still better than crc).
However, when I try, I get an error saying the encryption type is not
supported. If I change the service key (still des-cbc-crc:v4) to have
the md5 attribute (kdb5_edit -R "modent +md5 ..."), it works.
The problem is that I still have a V4 kadmin server and a V5 admin
server, both of which are creating keys without the md5 attribute.
There doesn't seem to be a clean way to change the default behavior.
Should we consider adding such a facility? In the meantime, I am of
course editing my copies of the admin servers, and changing all my
principal keys to have it set, since I don't have a backwards
compatibility issue.
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
