GSS-krb5 and enctype lists, revisited

Nicolas Williams Nicolas.Williams at
Fri Apr 18 17:44:08 EDT 2003

On Fri, Apr 18, 2003 at 04:51:36PM -0400, Ken Raeburn wrote:
> Nicolas Williams <Nicolas.Williams at> writes:
> > I like Sam's suggestion.  Basically, the application shouldn't care one
> > iota about the enctypes of x-realm TGTs needed to get the actual,
> > requested service ticket.  So the application's requested enctypes
> > should only apply to the final TGS exchange, and a configurable list of
> > enctypes should apply to all intermediate TGS exchanges.
> What about "kvno krbtgt/whatever"?  Should that obey the
> default_tgs_enctypes setting from krb5.conf or not?  In that case, "is
> it a TGT" and "is it an intermediate TGT we need in order to get the
> requested ticket" can have two different answers.

It's not an intermediate TGT - it's what the application requested.

Of course, I'm counting on the default to be the same for "intermediate
TGTs" and "service tickets" and krb5_gss_init_sec_context() overriding
the default for service ticket but not the default for intermediate

> > Again, I don't think the application should care about intermediate TGS
> > exchanges and the enctypes of the corresponding x-realm TGTs.
> > Cross-realm traversal should be done entirely under the hood.
> No argument there.  I'm just unsure of the best way to achieve that.

I still think that (3) is the best way.  Now I see that that means
adding a new config option that defaults to the default tgs enctypes
option's value and which is not meant to be set by anything other than
applications that need it (e.g., libgssapi_krb5).

Ideally there'd be an extended krb5_get_cred*() API as I mentioned just
a few minutes ago.



More information about the krbdev mailing list