gss-client encryption types

Sam Hartman hartmans at MIT.EDU
Wed May 8 22:10:00 EDT 2002

>>>>> "Donn" == Donn Cave <donn at> writes:

    Donn> Isn't it true that the set of enctypes GSSAPI uses will be a
    Donn> _subset_ of the enctypes that Kerberos supports?  If
    Donn> krb5.ini gives you the list of enctypes that are supported
    Donn> at this site, is GSSAPI required to ask for more that aren't
    Donn> on that list?

    Donn> Cf. "Re: KRB5 1.2.2+Solaris 8 SPARC + imap-2001a rc2 ==
    Donn> enc_type_not_supported", krbdev Nov 2001.

Yes, I believe that 1.e2.5 probably gets this right.  But it still
doesn't influence ticket enctype.  Also, note that you should not need
to restrict your client enctypes from the full set.  If you do so,
then you make it harder to add enctypes to the realm.  The code should
correctly negotiate the available enctypes.  We've been fixing bugs
where it doesn't happen as we find them.  We don't currently know of
such bugs.

More information about the krbdev mailing list