[OpenAFS] Kerberos 5 encryption types and AFS
Russ Allbery
rra@stanford.edu
Tue, 06 Mar 2007 11:43:03 -0800
Ken Hornstein (Contractor) <kenh@cmf.nrl.navy.mil> writes:
>> I've also found that if I took a client linked with a Kerberos library
>> that didn't understand AES keys (1.2 era), pointed it at a ticket cache
>> containing an AES TGT, and asked it to get a service ticket, it would
>> fail.
> With an AES TGT, or an AES session key as part of the TGT? The latter
> would obviously fail; I really thought we had 1.2 era clients with AES
> service tickets without any problems, but perhaps my memory is failing
> me.
A ticket where both skey and tkt were AES. I assume that it would have
worked fine if tkt was AES but skey was 3DES.
(The specific problem was that we used k5start to maintain a ticket cache
which other programs then used to obtain service tickets, k5start was
linked with a new enough version of Kerberos that it negotiated an AES
skey, and the other programs were linked with an older version of Kerberos
that only understood 3DES at best.)
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>