Peter Jordan writes:
> hmmm, although i have set supported enctypes
> supported_enctypes = aes256-cts:normal
> and restarted kdc nothing seens to have changed.
>
> After calling "kinit" klist -5e show me:
> Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc
> mode with HM
Russ Allbery, Fri Jul 10 2009 19:24:52 GMT+0200 (CEST):
> Peter Jordan writes:
>> Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):
>
>
>> But for new installations a change is not a bad idea?
>
> Yeah, for new installations it's generally best to start the master key
> at the strongest s
Peter Jordan writes:
> Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):
>> Yes. The master key isn't used on the network and changing it is
>> very difficult in lenny.
> But for new installations a change is not a bad idea?
Yeah, for new installations it's generally best to start the ma
Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):
> Peter Jordan writes:
>
>> Let the option
>> master_key_type = des3-hmac-sha1
>> as it is?
>
> Yes. The master key isn't used on the network and changing it is very
> difficult in lenny.
But for new installations a change is not a b
On Fri, Jul 10, 2009 at 07:31:33AM -0700, Russ Allbery wrote:
> Peter Jordan writes:
> > We use NFSv4.
> I think the current version may have that same problem.
Urgs, yes.
Bastian
--
There is an order of things in this universe.
-- Apollo, "Who Mourns for Adonais?" stardate 346
"Boyd Stephen Smith Jr." writes:
> Russ Allbery wrote:
>> But yes, you don't want to get Kerberos tickets on an insecure system.
> I thought tickets only lasted for a small period of time, and could be
> expired early if need be so that you could use them on insecure
> machines.
True, you can g
In <87ws6gppyi@windlord.stanford.edu>, Russ Allbery wrote:
>Peter Jordan writes:
>> Russ Allbery, Fri Jul 10 2009 00:56:57 GMT+0200 (CEST):
>>> Not without applying custom patches that are rather a hack. You can,
>>> however, do PKINIT, which lets you use smart cards that can do X.509
>>> aut
Peter Jordan writes:
> Russ Allbery, Fri Jul 10 2009 00:56:57 GMT+0200 (CEST):
>> Not without applying custom patches that are rather a hack. You can,
>> however, do PKINIT, which lets you use smart cards that can do X.509
>> authentication (some of which are quite inexpensive these days).
>> We
Peter Jordan writes:
> Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
>> However, if you also have AFS, which I recall that you do, you can't
>> turn it off at that level. You have to leave DES as a supported
>> enctype since the AFS service key at present still has to be DES
>> (althou
Peter Jordan writes:
> Let the option
> master_key_type = des3-hmac-sha1
> as it is?
Yes. The master key isn't used on the network and changing it is very
difficult in lenny.
> No change in /etc/krb5.conf required?
Correct. Clients will negotiate the strongest available encryption key
Russ Allbery, Fri Jul 10 2009 00:56:57 GMT+0200 (CEST):
> Peter Jordan writes:
>
>> btw is it possible to use any kind of one time password mechanism with
>> mit kdc?
>
> Not without applying custom patches that are rather a hack. You can,
> however, do PKINIT, which lets you use smart cards th
Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
> Peter Jordan writes:
>> Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
>
>
>
> However, if you also have AFS, which I recall that you do, you can't
> turn it off at that level. You have to leave DES as a supported enctype
> sin
Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
> Peter Jordan writes:
>> Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
>
>>> Ensuring that you use AES enctypes for all keys (disable DES and
>>> ideally also 3DES)
>
>> How?
>
> In /etc/krb5kdc/kdc.conf, set the supported_encty
13 matches
Mail list logo
