krbdev Digest, Vol 33, Issue 6
Henry B. Hotz
hotz at jpl.nasa.gov
Thu Sep 8 17:59:26 EDT 2005
On Sep 8, 2005, at 9:02 AM, krbdev-request at mit.edu wrote:
> Will> And if the admin is trying to limit the skey enctypes for a
> Will> particular service on a particular system, are they supposed
> Will> to use the permitted_enctypes krb5.conf parameter? If so,
> Will> doesn't this affect all services on that system?
>
> Yes. We have not seen a customer need to limit enctypes on a
> per-service (instead of per-system) basis.
>
> Certainly any policy on what the service will accept needs to be
> validated at the service.
Example: Solaris 9 machine.
Need des-cbc-{crc,md5} only for host/machine for compatibility with
built-in Kerberos.
Want rc4/des3/aes for HTTP/machine because it's using independent
(MIT/Heimdal) libraries.
Want rc4/des3/aes for host/machine also for OpenSSH, but I can't
exactly do this, can I?
I have a hard time imagining the session key having different
restrictions than the service key, but maybe the above SSH example
qualifies.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list