[OpenAFS] Kerberos 5 encryption types and AFS
Russ Allbery
rra@stanford.edu
Tue, 06 Mar 2007 11:33:06 -0800
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> A slight expansion on this.
> Clients from the MIT 1.0.x era would reject service tickets if they were
> encrypted with an enctype they didn't know about (since clients don't
> decrypt service tickets they shouldn't need to care about the enctype).
> The exception to this was the TGT (it used a different codepath). So
> you could have an AES TGT (for example) and it would work fine even
> though AES keys for service principals would not (3DES had the same
> issue from what I remember).
> I believe this was fixed in the 1.1 or 1.2 timeframe.
I've also found that if I took a client linked with a Kerberos library
that didn't understand AES keys (1.2 era), pointed it at a ticket cache
containing an AES TGT, and asked it to get a service ticket, it would
fail.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>