GSS-krb5 and enctype lists, revisited
Sam Hartman
hartmans at MIT.EDU
Fri Apr 18 19:13:48 EDT 2003
>>>>> "Ken" == Ken Raeburn <raeburn at MIT.EDU> writes:
Ken> Nicolas Williams <Nicolas.Williams at sun.com> writes:
>> I like Sam's suggestion. Basically, the application shouldn't
>> care one iota about the enctypes of x-realm TGTs needed to get
>> the actual, requested service ticket. So the application's
>> requested enctypes should only apply to the final TGS exchange,
>> and a configurable list of enctypes should apply to all
>> intermediate TGS exchanges.
Ken> What about "kvno krbtgt/whatever"? Should that obey the
Ken> default_tgs_enctypes setting from krb5.conf or not? In that
Ken> case, "is it a TGT" and "is it an intermediate TGT we need in
Ken> order to get the requested ticket" can have two different
Ken> answers.
I believe that kvno krbtgt should obey default_tgs_enctypes but would
be willing to reconsider based on implementation complexity or others'
opinions.
Another thing to consider that I don't think I like would be to always
use default_tkt_enctypes for tgts. I don't actually think that makes
things simpler or solves any real problems.
More information about the krbdev
mailing list