gss_krb5_set_allowable_enctypes query

Kevin Coffman kwc at
Fri Jun 8 10:22:58 EDT 2007

On 6/8/07, Vipin Rathor <v.rathor at> wrote:
> hi all,
> As I notice that we have a new API called  gss_krb5_set_allowable_enctypes()
> with MIT 1.4. I was trying to find out how exactlky it can be used.
> Following is my understanding. Can anyone please confirm my understanding.
> Also I was curious as to why was it introduced , was it for NFS V4 ?
> The gss_krb5_set_allowable_enctypes() API is setting the encryption type
> list in the GSS-API credential. This user passed encryption will be used as
> the list of desired encryption algorithms in the GSS-API handshake request.
> The configuration variable [libdefaults] "default_tkt_enctypes" is used if a
> value is not passed to it. One would ideally call it before
> gss_init_sec_context() (and after gss_aquire_cred()) with the list of
> desired encryption type the user wants.
> {
> gss_aquire_cred()   //acquire credentials
> ..
> gss_krb5_set_allowable_enctypes()   // set the desired encryption type list
> , for eg:
> ..
> gss_init_sec_context()  // start the GSS-API handshake
> ...
> }
> The encryption type that will finally get negotiated between the server and
> the client  (during the init/accept handshake) will be used by
> gss_warp()/gss_unwarp() APIs.
> Thanks in advance!
> -Rathor

Yes, NFSv4 had the need for this function.  It allows the Linux
user-land nfs-utils code to negotiate an encryption type that can be
supported by the kernel code -- which may not support the same
encryption types as the user-land code.  With this function, you don't
have to set default_tkt_enctypes to the "least common denominator"
enctype, limiting the enctype choice of all applications on the


More information about the krbdev mailing list