Proposal to export gssapi context

Ben Cox cox at
Tue Mar 9 21:00:10 EST 2004

On Mar 9, 2004, at 7:22 PM, Sam Hartman wrote:
>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:
>     Nicolas> I've several comments:
>     Nicolas>  - With the Kerberos V mechanism you can control what
>     Nicolas> enctypes are to be used by controlling what enctypes the
>     Nicolas> nfs/* service principals have.
> This only works on the server side.
> I need to control it on the client as well.
> There are multiple implementations out there;)

I want to amplify Sam's comment here: if you have some clients that can 
do 3DES for RPCSEC_GSS you want to allow your nfs/* service principals 
to have 3DES keys.  If you can't limit it on the client side as Kevin 
proposed, then other clients whose user-mode libraries have 3DES 
support but whose kernel NFS client code doesn't support it, you're in 
a spot of difficulty.

-- Ben

More information about the krbdev mailing list