[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: /etc/krb5.conf



On 2/1/06, Wesley Craig <wes@xxxxxxxxx> wrote:
> On 01 Feb 2006, at 01:41, Marcus Watts wrote:
> > Yes, we should be removing default_tkt_enctypes and
> > default_tgs_enctypes lines from krb5.conf.  This is a Good Thing(tm).
>
> My concern is why we put it there in the first place, and what might
> break when we remove it.  If we can't figure that out through
> analysis, we'll have to during testing.  Which is a shame, because it
> means we'll have to invest more time in testing that might otherwise
> be necessary.
>
> :wes

The most likely reason it was there in the first place was because the
example config files had them.  Some examples unfortunately still
include them (like
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.3/doc/krb5-admin/Sample-krb5.conf-File.html#Sample%20krb5.conf%20File)

If something breaks because this is removed, it is almost certainly
because a service's keytab was generated with encryption key types
that the application (not Kerberos) does not support.

The Kerberos libraries should be able to negotiate the strongest
encryption supported by the Kerberos code on both ends and the
Kerberized service (via its keytab, and therefore the keys it has in
the KDC).  Including these lines in the krb5.conf file limits what the
Kerberos library code can negotiate for *all* services.