[krbdev.mit.edu #1429] AES/GSS combination broken
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Thu Apr 24 19:24:10 EDT 2003
Proposed fix from discussion:
Track config-file (or compiled-in) default_tgs_enctypes and
application-supplied list separately in krb5_context. When getting an
intermediate TGT, from the ccache or from a KDC, use the config-file
version only; when getting the ultimate application ticket (even if it's
a TGT for a user running a kvno-like program), prefer the
application-supplied list if any. Distinguish the two with some context
flag, or an added argument to some internal API (unspecified).
Then we should be able to acquire and use AES TGT session keys to get
GSS-supported tickets.
We may have problems with this when we start relying on KDC referrals.
Burn that bridge when we get to it.
More information about the krb5-bugs
mailing list