Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) Subject: Typed-in master passwords should use enctypes in K/M entry X-RT-Original-Encoding: iso-8859-1 Content-Length: 896 When you use a typed-in password for krb5kdc or kadmind, that password is converted to a keyblock for a specific enctype, determined either by realm configuration (master_key_type), command-line flag (krb5kdc's -k flag), or the built-in default (DEFAULT_KDC_ENCTYPE). It is unnecessary to require the administrator to specify this enctype, and it can lead to surprising failures when the built-in default changes between releases. Ideally, the password should be tried against each enctype present in the K/M key data array. This enhancement requires a change to the libkdb5 interfaces, since kdb_db_fetch_mkey currently reads the password and produces a single keyblock. (A simpler approach would be to use the enctype of the most recent master key entry. However, that change could break some working configurations, where the admin is entering the password of an older master key entry.)