[Freeipa-users] Strange klist output
Rob Crittenden
rcritten at redhat.com
Sat Feb 25 22:16:40 UTC 2012
John Dennis wrote:
> On 02/25/2012 09:40 AM, Simo Sorce wrote:
>>> Why do we now have all these enctypes? Is it to satify forwarding/proxy
>>> when you don't know a prori which enctype the foreign endpoint will
>>> require?
>>
>> Because in kerberos each principal can have multiple keys, generally one
>> per supported (by the KDC) enctype. This is so that a client can use the
>> strongest enctype it has crypto support for.
>
> Sure, that makes sense. But this is new behavior, what changed?
>
Nothing, it has always worked this way.
These days you'll only see 4 enctypes as DES is disabled by default.
rob
More information about the Freeipa-users
mailing list