[OpenAFS] Kerberos 5 encryption types and AFS
Tue, 06 Mar 2007 11:33:06 -0800
Ken Hornstein <firstname.lastname@example.org> writes:
> A slight expansion on this.
> Clients from the MIT 1.0.x era would reject service tickets if they were
> encrypted with an enctype they didn't know about (since clients don't
> decrypt service tickets they shouldn't need to care about the enctype).
> The exception to this was the TGT (it used a different codepath). So
> you could have an AES TGT (for example) and it would work fine even
> though AES keys for service principals would not (3DES had the same
> issue from what I remember).
> I believe this was fixed in the 1.1 or 1.2 timeframe.
I've also found that if I took a client linked with a Kerberos library
that didn't understand AES keys (1.2 era), pointed it at a ticket cache
containing an AES TGT, and asked it to get a service ticket, it would
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>