[OpenAFS] Kerberos 5 encryption types and AFS

Russ Allbery rra@stanford.edu
Tue, 06 Mar 2007 11:43:03 -0800

Ken Hornstein (Contractor) <kenh@cmf.nrl.navy.mil> writes:

>> I've also found that if I took a client linked with a Kerberos library
>> that didn't understand AES keys (1.2 era), pointed it at a ticket cache
>> containing an AES TGT, and asked it to get a service ticket, it would
>> fail.

> With an AES TGT, or an AES session key as part of the TGT?  The latter
> would obviously fail; I really thought we had 1.2 era clients with AES
> service tickets without any problems, but perhaps my memory is failing
> me.

A ticket where both skey and tkt were AES.  I assume that it would have
worked fine if tkt was AES but skey was 3DES.

(The specific problem was that we used k5start to maintain a ticket cache
which other programs then used to obtain service tickets, k5start was
linked with a new enough version of Kerberos that it negotiated an AES
skey, and the other programs were linked with an older version of Kerberos
that only understood 3DES at best.)

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>