Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: us-ascii
Content-Length: 1496

Reported by Seema.Malkani@Sun.COM:

In reference to support for AES encryption type in Kerberos,
the MIT kerberos docs for 1.3.3 doesn't seem to be correct.
krb5-1.3.3 does include support for AES. But the docs mention
AES support in GSS does not exist.

http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/krb5-admin.html

While aes128-cts and aes256-cts are supported for all Kerberos 
operations, they are not supported by the GSSAPI. AES GSSAPI support 
will be added after the necessary standardization work is completed.

By default, AES is enabled on clients and application servers. Because 
of the lack of support for GSSAPI, AES is disabled in the default KDC 
supported_enctypes kdc.conf 
<http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/krb5-admin.html#kdc.conf>. 
Sites wishing to use AES encryption types on their KDCs need to be 
careful not to give GSSAPI services AES keys. If GSSAPI services are 
given AES keys, then services will start to fail in the future when 
clients supporting AES for GSSAPI are deployed before updated servers 
that support AES for GSSAPI. Sites may wish to use AES for user keys and 
for the ticket granting ticket key, although doing so requires 
specifying what encryption types are used as each principal is created. 
Alternatively sites can use the default configuration which will make 
AES support available in clients and servers but not actually use this 
support until a future version of Kerberos adds support to GSSAPI.

Seema