default_tkt_enctypes and default_tgs_enctypes linkage?
Sam Hartman
hartmans at MIT.EDU
Thu Sep 8 15:40:21 EDT 2005
>>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
Will> What I'm trying to point out here in my long winded way is
Will> that I don't understand the linkage between
Will> default_tkt_enctypes and default_tgs_enctypes.
I think it's more like you don't understand the fact that
default_tgs_enctypes is used to decide what enctypes are valid tgts to
use for tgs requests *and* what enctypes to request from the TGS.
fortunately none of us really understand that either; it seems kind of
broken.
The options for fixing it include:
* Introduce a third option
* have permitted_enctypes influence client behavior
* Combine default_tkt_enctypes and default_tgs_enctypes together
somehow and retain only one option. Do something to support old
config files.
Adding a third option seems like the clear wrong direction. The
configuration is too complex; it does not need to get more complex.
Using permitted_enctypes seems wrong because that's designed to
control server behavior.
I think we'd like to move to a single option controlling all client
enctypes including: AS requests, selection of usable credentials from
the cache, TGS requests.
--Sam
More information about the krbdev
mailing list