gss_krb5_set_allowable_enctypes query

Vipin Rathor v.rathor at
Fri Jun 8 08:35:16 EDT 2007

hi all,

As I notice that we have a new API called  gss_krb5_set_allowable_enctypes()
with MIT 1.4. I was trying to find out how exactlky it can be used.
Following is my understanding. Can anyone please confirm my understanding.
Also I was curious as to why was it introduced , was it for NFS V4 ?

The gss_krb5_set_allowable_enctypes() API is setting the encryption type
list in the GSS-API credential. This user passed encryption will be used as
the list of desired encryption algorithms in the GSS-API handshake request.
The configuration variable [libdefaults] "default_tkt_enctypes" is used if a
value is not passed to it. One would ideally call it before
gss_init_sec_context() (and after gss_aquire_cred()) with the list of
desired encryption type the user wants.
gss_aquire_cred()   //acquire credentials
gss_krb5_set_allowable_enctypes()   // set the desired encryption type list
, for eg:
gss_init_sec_context()  // start the GSS-API handshake
The encryption type that will finally get negotiated between the server and
the client  (during the init/accept handshake) will be used by
gss_warp()/gss_unwarp() APIs.

Thanks in advance!

More information about the krbdev mailing list