GSS-krb5 and enctype lists, revisited
raeburn at MIT.EDU
Fri Apr 18 16:51:36 EDT 2003
Nicolas Williams <Nicolas.Williams at sun.com> writes:
> I like Sam's suggestion. Basically, the application shouldn't care one
> iota about the enctypes of x-realm TGTs needed to get the actual,
> requested service ticket. So the application's requested enctypes
> should only apply to the final TGS exchange, and a configurable list of
> enctypes should apply to all intermediate TGS exchanges.
What about "kvno krbtgt/whatever"? Should that obey the
default_tgs_enctypes setting from krb5.conf or not? In that case, "is
it a TGT" and "is it an intermediate TGT we need in order to get the
requested ticket" can have two different answers.
> Again, I don't think the application should care about intermediate TGS
> exchanges and the enctypes of the corresponding x-realm TGTs.
> Cross-realm traversal should be done entirely under the hood.
No argument there. I'm just unsure of the best way to achieve that.
More information about the krbdev