Mechanism extensions and the GSSAPI
Nicolas Williams
Nicolas.Williams at Sun.COM
Thu Apr 29 12:59:03 EDT 2004
On Thu, Apr 29, 2004 at 12:31:59PM -0400, Wyllys Ingersoll wrote:
> - As Nico suggests, create your NFS principals with the desired enctypes
> in the first place.
> - Set the permitted_enctypes, default_tgs/tkt_enctypes settings in
> krb5.conf
> so that only the desired enctypes are used.
>
> I can't believe this thread has gone this far...
Heh.
Ideally CITI would just: a) use KRB5_CONFIG/ktadd -e... to cope until b)
they port the per-msg token CFX functions to the Linux kernel.
I do believe that mechanism-specific interfaces will eventually be
needed though, and since MIT seems to be willing to implement the
interface that CITI is asking for (against your and my recommendation),
I'm instead focusing on making sure that the mechglue/SPI picture is not
muddied, either now, with this unnecessary interface, or in the future
with necessary ones.
Nico
--
More information about the krbdev
mailing list