"best" enctype?

Luke Howard lukeh at padl.com
Mon Aug 15 11:50:13 EDT 2011


On 15/08/2011, at 5:27 AM, Chris Hecker wrote:

> 
> I have a closed system that doesn't need to interoperate with any other 
> kerberos servers.  Shuld I just force everything to 
> ENCTYPE_AES256_CTS_HMAC_SHA1_96?  Is there a downside to doing this?


In configuration files, do what you like but -- if you're writing code, I would try and be a little more flexible. e.g. you could call krb5_get_permitted_enctypes() and select the first (I'm sure Greg will have a better idea).

-- Luke





More information about the Kerberos mailing list