Re: krb5 transition: upgrading to krb5 1.6.1

[Sam Hartman <hartmans@debian.org>]

>>>>> "Marcus" == Marcus Better <marcus@better.se> writes:

    Marcus> Russ Allbery wrote:
    >> Correct.  In general, you never want to have Kerberos keys in
    >> your KDC for a service principal for enctypes that that service
    >> doesn't support.

    Marcus> Is there an easy way to find out which enctypes a service
    Marcus> supports? (And why does the poor admin have to worry about
    Marcus> this at all?)
It's a function of the software.  so, read the documentation for the
service.

In general, anything that just uses the kerberos libraries supports
everything--ssh, samba, imap, http, etc.
The exceptions tend to be:

* NFS - depends on what the kernel supports and the interface between userspace and kernel.
* Telnet - only does des.
* OpenAFS - generally takes care of itself, but basically only des.


There is protocol work underway so that a service can request keys for
itself.  This could be combined with some mechanism where packages
install templates indicating what enctypes they support and it's all
automated.  That would require the protocol work be finished and
cooperation between the krb5 package and the related other packages.