1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • supported enctypes: what is the net effect of removing 3des?

    From Dan Mahoney (Gushi)@21:1/5 to All on Sun Oct 3 02:34:32 2021
    Hey there. My org is moving off 3des.

    My reading of "supported_enctypes" is simply that it will stop kadmin/the
    KDC from generating NEW keys of an older type, correct? That if I do a
    cpw without -keepold, those keys will be removed -- but otherwise, the KDC
    will not act as though a user with 3des-only keys doesn't exist.

    Changing it should not break any authentication or tickets? Or will the
    kdc then refuse to issue TGT's that use that type at all? (It seems like
    that would be affected by the similarly named permitted_enctypes, tho).

    -Dan

    --

    --------Dan Mahoney--------
    Techie, Sysadmin, WebGeek
    Gushi on efnet/undernet IRC
    FB: fb.com/DanielMahoneyIV
    LI: linkedin.com/in/gushi
    Site: http://www.gushi.org
    ---------------------------

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Dan Mahoney (Gushi) on Sun Oct 3 13:21:05 2021
    To: kerberos@mit.edu

    On 10/3/21 5:34 AM, Dan Mahoney (Gushi) wrote:
    My reading of "supported_enctypes" is simply that it will stop kadmin/the
    KDC from generating NEW keys of an older type, correct?

    Correct. (The KDC doesn't generate long-term keys, so only kadmind/kadmin.local and kdb5_util are affected. Also note that a
    kadmin client can specify an enctype/salttype list when creating new key
    sets, in which case supported_enctypes is ignored.)

    That if I do a
    cpw without -keepold, those keys will be removed -- but otherwise, the KDC will not act as though a user with 3des-only keys doesn't exist.

    Correct. Removing an enctype from permitted_enctypes causes the KDC to
    ignore keys of that type, but supported_enctypes is only about new
    long-term keys.

    Changing it should not break any authentication or tickets?

    Correct.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)