#

# Patch to make des-cbc-md5 equivalent to des-cbc-crc when the KDC is deciding

# to issue a des session key for a service princ.  This maintains existing

# Solaris behavior that MIT does not intend on adopting given that single des

# is on the way out.

# Patch source: in-house

#

--- a/src/kdc/kdc_util.c

+++ b/src/kdc/kdc_util.c

@@ -987,16 +987,11 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server,

     free(etypes);

     /* If configured to, assume every server without a session_enctypes

-     * attribute supports DES_CBC_CRC. */

+     * attribute supports DES_CBC_CRC or DES_CBC_MD5. */

     if (kdc_active_realm->realm_assume_des_crc_sess &&

-        enctype == ENCTYPE_DES_CBC_CRC)

+        (enctype == ENCTYPE_DES_CBC_CRC || enctype == ENCTYPE_DES_CBC_MD5))

         return TRUE;

-    /* Due to an ancient interop problem, assume nothing supports des-cbc-md5

-     * unless there's a session_enctypes explicitly saying that it does. */

-    if (enctype == ENCTYPE_DES_CBC_MD5)

-        return FALSE;

-

     /* Assume the server supports any enctype it has a long-term key for. */

     return !krb5_dbe_find_enctype(kdc_context, server, enctype, -1, 0, &datap);

 }