Proposal to export gssapi context
cox at djehuti.com
Tue Mar 9 21:00:10 EST 2004
On Mar 9, 2004, at 7:22 PM, Sam Hartman wrote:
>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
> Nicolas> I've several comments:
> Nicolas> - With the Kerberos V mechanism you can control what
> Nicolas> enctypes are to be used by controlling what enctypes the
> Nicolas> nfs/* service principals have.
> This only works on the server side.
> I need to control it on the client as well.
> There are multiple implementations out there;)
I want to amplify Sam's comment here: if you have some clients that can
do 3DES for RPCSEC_GSS you want to allow your nfs/* service principals
to have 3DES keys. If you can't limit it on the client side as Kevin
proposed, then other clients whose user-mode libraries have 3DES
support but whose kernel NFS client code doesn't support it, you're in
a spot of difficulty.
More information about the krbdev