Proposal to export gssapi context
Nicolas.Williams at sun.com
Wed Mar 10 11:19:38 EST 2004
On Wed, Mar 10, 2004 at 11:05:19AM -0500, Ben Cox wrote:
> On Mar 10, 2004, at 10:48 AM, Nicolas Williams wrote:
> >Nico> Of course, on such clients one can limit the set of enctypes one
> >Nico> accept for ticket session keys. Basically, one must have
> >Nico> enctype support throughout accross all applications that share a
> >Nico> Kerberos V credential. This applies to initiators, and it
> >applies to
> >Nico> acceptors. It's a simple rule.
> >Kevin> We have an additional constraint of which enctypes are
> >supported by
> >Kevin> the kernel.
> >Precisely. The kernel counts as an "application" for the purposes of
> >the above.
> So you're saying we should rip out any support for enctypes in Kerberos
> that don't have corresponding GSS-API token formats fully specified?
In this particular case you only care about the enctypes of tickets for
a particular service principal (the enctypes of TGTs are not an issue in
this case), and the application is very self-contained, so it could use
KRB5CONFIG to reference a config file that turns off the enctypes it
doesn't support :)
> I think not.
Well, that'd be an option, the other option is as described above.
Anyways, I think MIT should decide whether and what to do about this,
and having a mechanism-specific interface for a while is probably not a
More information about the krbdev