[17055] in Kerberos_V5_Development
Re: Multiple ETYPE-INFO-ENTRY with same etype but different salts
daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Tue Jul 19 22:39:34 2011
Mime-Version: 1.0 (Apple Message framework v1084)
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <mailman.79371.1310997923.7171.krbdev@mit.edu>
Date: Tue, 19 Jul 2011 19:39:29 -0700
Message-Id: <3C987864-F121-405A-8CB3-92818E61D1F4@jpl.nasa.gov>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Cc: Weijun Wang <weijun.wang@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Jul 18, 2011, at 7:05 AM, krbdev-request@mit.edu wrote:
>> I would expect the des-cbc-md5:normal to result in an etype-info2 entry
>> with no specified salt (which means the default salt). I don't know why
>> Java isn't choosing this entry.
>
> As I said, we skip entry with an empty salt.
>
> We will fix our problem. My last question would be: so the customer has no workaround now on their KDC side?
The customer could follow current recommended practice and stop using Kerberos 4 and single-DES. ;-) ;-)
(You can preserve single-des keys for the AFS service even if you strip them out of everything else.)
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
