GSS-krb5 and enctype lists, revisited
Nicolas Williams
Nicolas.Williams at sun.com
Fri Apr 18 17:44:08 EDT 2003
On Fri, Apr 18, 2003 at 04:51:36PM -0400, Ken Raeburn wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
> > I like Sam's suggestion. Basically, the application shouldn't care one
> > iota about the enctypes of x-realm TGTs needed to get the actual,
> > requested service ticket. So the application's requested enctypes
> > should only apply to the final TGS exchange, and a configurable list of
> > enctypes should apply to all intermediate TGS exchanges.
>
> What about "kvno krbtgt/whatever"? Should that obey the
> default_tgs_enctypes setting from krb5.conf or not? In that case, "is
> it a TGT" and "is it an intermediate TGT we need in order to get the
> requested ticket" can have two different answers.
It's not an intermediate TGT - it's what the application requested.
Of course, I'm counting on the default to be the same for "intermediate
TGTs" and "service tickets" and krb5_gss_init_sec_context() overriding
the default for service ticket but not the default for intermediate
TGTs.
> > Again, I don't think the application should care about intermediate TGS
> > exchanges and the enctypes of the corresponding x-realm TGTs.
> > Cross-realm traversal should be done entirely under the hood.
>
> No argument there. I'm just unsure of the best way to achieve that.
I still think that (3) is the best way. Now I see that that means
adding a new config option that defaults to the default tgs enctypes
option's value and which is not meant to be set by anything other than
applications that need it (e.g., libgssapi_krb5).
Ideally there'd be an extended krb5_get_cred*() API as I mentioned just
a few minutes ago.
Cheers,
Nico
--
More information about the krbdev
mailing list