Proposal to export gssapi context

Ben Cox cox at
Wed Mar 10 11:05:19 EST 2004

On Mar 10, 2004, at 10:48 AM, Nicolas Williams wrote:
> Nico> Of course, on such clients one can limit the set of enctypes one 
> will
> Nico> accept for ticket session keys.  Basically, one must have 
> consistent
> Nico> enctype support throughout accross all applications that share a 
> given
> Nico> Kerberos V credential.  This applies to initiators, and it 
> applies to
> Nico> acceptors.  It's a simple rule.
> Kevin> We have an additional constraint of which enctypes are 
> supported by
> Kevin> the kernel.
> Precisely.  The kernel counts as an "application" for the purposes of
> the above.

So you're saying we should rip out any support for enctypes in Kerberos 
that don't have corresponding GSS-API token formats fully specified?

I think not.

-- Ben

More information about the krbdev mailing list