"best" enctype?
Russ Allbery
rra at stanford.edu
Mon Aug 15 13:38:00 EDT 2011
Luke Howard <lukeh at padl.com> writes:
> On 15/08/2011, at 5:27 AM, Chris Hecker wrote:
>> I have a closed system that doesn't need to interoperate with any other
>> kerberos servers. Shuld I just force everything to
>> ENCTYPE_AES256_CTS_HMAC_SHA1_96? Is there a downside to doing this?
> In configuration files, do what you like but -- if you're writing code,
> I would try and be a little more flexible. e.g. you could call
> krb5_get_permitted_enctypes() and select the first (I'm sure Greg will
> have a better idea).
Yes, for configuration it's not a horrible idea, but in your code, if
someone breaks AES and you want to switch to Camellia or something else,
you don't want to have to do code patches.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list