[961] in Kerberos_V5_Development
Admin server: host keys
daemon@ATHENA.MIT.EDU (Richard Basch)
Wed Dec 13 12:06:47 1995
Date: Wed, 13 Dec 1995 12:02:23 -0500
To: proven@MIT.EDU
Cc: tytso@MIT.EDU, krbdev@MIT.EDU
From: "Richard Basch" <basch@lehman.com>
We were discussing the need for only ONE host/service key, earlier.
However, I just thought of a need for multiple host/service keys.
Suppose the Kerberos server is providing keys for multiple services
(eg. Kerberos V5 requests and Kerberos V4 requests), then the other
service may require the use of a different keytype in the database
(eg. Kerberos V4 doesn't understand Triple-DES, but I want all those
keys so that I can phase in the various Kerberos V5 services).
In the current proposed scheme, you would require a host to maintain a
single-DES key for as long as it required Kerberos V4 services, and then
only upgrade to a 3-DES key when all services are converted. It then
becomes difficult if a new service is added to host X. After all, we
know how many services share the same service key (eg. rcmd/host).
Admittedly, the argument may be that each backwards service should use
the appropriately defined service key, and that service keys should not
be shared between the various KDC services (V4 and V5).
Thoughts?
--
Richard Basch URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
