GSS-krb5 and enctype lists, revisited
Nicolas Williams
Nicolas.Williams at sun.com
Thu Apr 24 21:54:25 EDT 2003
On Thu, Apr 24, 2003 at 08:35:30PM -0400, Ken Raeburn wrote:
> We may have problems with this when we start relying on KDC referrals.
> (You send a request to your KDC for a {3DES, RC4, DES} ticket for
> ftp/fooserver, and it sends you back a cross-realm TGT, needlessly
> restricted in enctype by the list of enctypes supported by the GSS
> code, because it can't distinguish between the enctypes supported by
> the application protocol, and the enctypes supported by the krb5 code
> for talking to the KDC.) But we can burn that bridge when we get to
> it...
Er, this is indicative of a protocol issue. If we have referrals then
a client that knows about referrals should be able to list two enctype
lists in TGS-REQs: one for the service ticket, one for any referrals.
Sam can probably add that one to the list of extensions :)
Cheers,
Nico
--
More information about the krbdev
mailing list