[OpenAFS] Kerberos 5 encryption types and AFS
Ken Hornstein
kenh@cmf.nrl.navy.mil
Tue, 06 Mar 2007 14:23:02 -0500
>In practice, 3DES has no problems here, but AES keys can confuse really
>old clients.
A slight expansion on this.
Clients from the MIT 1.0.x era would reject service tickets if they were
encrypted with an enctype they didn't know about (since clients don't
decrypt service tickets they shouldn't need to care about the enctype).
The exception to this was the TGT (it used a different codepath). So
you could have an AES TGT (for example) and it would work fine even though
AES keys for service principals would not (3DES had the same issue from
what I remember).
I believe this was fixed in the 1.1 or 1.2 timeframe.
--Ken