>How do I know which key types a service can support?

>From the KDC's perspective, there is no way to know that; it falls upon the

admin (you) to know that.

>Am I pretty much relegated to setting up a test KDC
>and pointing test clients at it and then trial&error
>for every single service/server/keytype combination
>to see which ones work and which ones don't?
>
>Or is there some way I can just check, oh this server
>app is linked against krb5-1.x.y and that supports
>enctypes a, b & c? Is there even a list of which
>release each enctype was first supported in?


You could probably generate that yourself just by looking at a release
history. You might even be able to write a small program that uses the
krb5 API to determine which enctypes a particular Kerberos library
supports. I don't think the number of enctypes you care about is large,
is it? I mean, I think from a practical perspective what you care
about 3DES, ArcFour, and AES. I would guess ArcFour and AES came in to
MIT Kerberos around the same time. Might require a little bit of work
looking at different releases, but it shouldn't take that long.

--Ken