"best" enctype?

Chris Hecker checker at d6.com
Mon Aug 15 15:54:39 EDT 2011


Well, I'm setting the profile in code, so I'll have to patch anyway, but 
I'll do the krb5_get_permitted_enctypes() thing, I had a todo to try to 
figure out how to get the default out of the context/profile, so at 
least it's only hard coded in one place now.  :)

Thanks,
Chris

On 2011/08/15 10:38, Russ Allbery wrote:
> Luke Howard<lukeh at padl.com>  writes:
>> On 15/08/2011, at 5:27 AM, Chris Hecker wrote:
>
>>> I have a closed system that doesn't need to interoperate with any other
>>> kerberos servers.  Shuld I just force everything to
>>> ENCTYPE_AES256_CTS_HMAC_SHA1_96?  Is there a downside to doing this?
>
>> In configuration files, do what you like but -- if you're writing code,
>> I would try and be a little more flexible. e.g. you could call
>> krb5_get_permitted_enctypes() and select the first (I'm sure Greg will
>> have a better idea).
>
> Yes, for configuration it's not a horrible idea, but in your code, if
> someone breaks AES and you want to switch to Camellia or something else,
> you don't want to have to do code patches.
>



More information about the Kerberos mailing list