Proposal to export gssapi context

Nicolas Williams Nicolas.Williams at
Wed Mar 10 11:19:38 EST 2004

On Wed, Mar 10, 2004 at 11:05:19AM -0500, Ben Cox wrote:
> On Mar 10, 2004, at 10:48 AM, Nicolas Williams wrote:
> >Nico> Of course, on such clients one can limit the set of enctypes one 
> >will
> >Nico> accept for ticket session keys.  Basically, one must have 
> >consistent
> >Nico> enctype support throughout accross all applications that share a 
> >given
> >Nico> Kerberos V credential.  This applies to initiators, and it 
> >applies to
> >Nico> acceptors.  It's a simple rule.
> >
> >Kevin> We have an additional constraint of which enctypes are 
> >supported by
> >Kevin> the kernel.
> >
> >Precisely.  The kernel counts as an "application" for the purposes of
> >the above.
> So you're saying we should rip out any support for enctypes in Kerberos 
> that don't have corresponding GSS-API token formats fully specified?

In this particular case you only care about the enctypes of tickets for
a particular service principal (the enctypes of TGTs are not an issue in
this case), and the application is very self-contained, so it could use
KRB5CONFIG to reference a config file that turns off the enctypes it
doesn't support :)

> I think not.

Well, that'd be an option, the other option is as described above.

Anyways, I think MIT should decide whether and what to do about this,
and having a mechanism-specific interface for a while is probably not a
big deal.


More information about the krbdev mailing list