[krbdev.mit.edu #1429] AES/GSS combination broken
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Fri Apr 18 01:47:23 EDT 2003
Our GSS krb5 mechanism code limits the enctypes used to those
supported by GSS before trying to acquire the service ticket. With
the AES support in the krb5 library checked in, and no support in the
GSS mechanism for it, this means a TGT with an AES session key cannot
be used to get a service ticket with a 3DES or DES session key.
I'll bring this up on the krbdev list for discussion.
In theory, the test suite should probably be limiting the ftp or host
service to the key types supported by the GSS implementation used for
the server, in case the client-supported list is different, but since
we're only really testing the same version of client and server code
at one time, and we've tended to add the support simultaneously, it's
not a priority.
More information about the krb5-bugs
mailing list