Forum: >>> Magnum BBS <<<

Dark
Log in

Username Password

supported enctypes: what is the net effect of removing 3des?

From Dan Mahoney (Gushi)@21:1/5 to All on Sun Oct 3 02:34:32 2021

Hey there. My org is moving off 3des.

My reading of "supported_enctypes" is simply that it will stop kadmin/the
KDC from generating NEW keys of an older type, correct? That if I do a
cpw without -keepold, those keys will be removed -- but otherwise, the KDC
will not act as though a user with 3des-only keys doesn't exist.

Changing it should not break any authentication or tickets? Or will the
kdc then refuse to issue TGT's that use that type at all? (It seems like
that would be affected by the similarly named permitted_enctypes, tho).

-Dan

--

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Greg Hudson@21:1/5 to Dan Mahoney (Gushi) on Sun Oct 3 13:21:05 2021

To: [email protected]

On 10/3/21 5:34 AM, Dan Mahoney (Gushi) wrote:

My reading of "supported_enctypes" is simply that it will stop kadmin/the
KDC from generating NEW keys of an older type, correct?

Correct. (The KDC doesn't generate long-term keys, so only kadmind/kadmin.local and kdb5_util are affected. Also note that a
kadmin client can specify an enctype/salttype list when creating new key
sets, in which case supported_enctypes is ignored.)

That if I do a
cpw without -keepold, those keys will be removed -- but otherwise, the KDC will not act as though a user with 3des-only keys doesn't exist.

Correct. Removing an enctype from permitted_enctypes causes the KDC to
ignore keys of that type, but supported_enctypes is only about new
long-term keys.

Changing it should not break any authentication or tickets?

Correct.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	151:41:43
Calls:	12,091
Calls today:	4
Files:	15,000
Messages:	6,517,607