Proposal to export gssapi context
Ben Cox
cox at djehuti.com
Wed Mar 10 11:05:19 EST 2004
On Mar 10, 2004, at 10:48 AM, Nicolas Williams wrote:
> Nico> Of course, on such clients one can limit the set of enctypes one
> will
> Nico> accept for ticket session keys. Basically, one must have
> consistent
> Nico> enctype support throughout accross all applications that share a
> given
> Nico> Kerberos V credential. This applies to initiators, and it
> applies to
> Nico> acceptors. It's a simple rule.
>
> Kevin> We have an additional constraint of which enctypes are
> supported by
> Kevin> the kernel.
>
> Precisely. The kernel counts as an "application" for the purposes of
> the above.
So you're saying we should rip out any support for enctypes in Kerberos
that don't have corresponding GSS-API token formats fully specified?
I think not.
-- Ben
More information about the krbdev
mailing list