[OpenAFS] Kerberos 5 encryption types and AFS

Russ Allbery rra@stanford.edu
Tue, 06 Mar 2007 11:33:06 -0800

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:

> A slight expansion on this.

> Clients from the MIT 1.0.x era would reject service tickets if they were
> encrypted with an enctype they didn't know about (since clients don't
> decrypt service tickets they shouldn't need to care about the enctype).
> The exception to this was the TGT (it used a different codepath).  So
> you could have an AES TGT (for example) and it would work fine even
> though AES keys for service principals would not (3DES had the same
> issue from what I remember).

> I believe this was fixed in the 1.1 or 1.2 timeframe.

I've also found that if I took a client linked with a Kerberos library
that didn't understand AES keys (1.2 era), pointed it at a ticket cache
containing an AES TGT, and asked it to get a service ticket, it would

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>