gss_krb5_set_allowable_enctypes query
Kevin Coffman
kwc at citi.umich.edu
Fri Jun 8 10:22:58 EDT 2007
On 6/8/07, Vipin Rathor <v.rathor at gmail.com> wrote:
> hi all,
>
> As I notice that we have a new API called gss_krb5_set_allowable_enctypes()
> with MIT 1.4. I was trying to find out how exactlky it can be used.
> Following is my understanding. Can anyone please confirm my understanding.
> Also I was curious as to why was it introduced , was it for NFS V4 ?
>
> The gss_krb5_set_allowable_enctypes() API is setting the encryption type
> list in the GSS-API credential. This user passed encryption will be used as
> the list of desired encryption algorithms in the GSS-API handshake request.
> The configuration variable [libdefaults] "default_tkt_enctypes" is used if a
> value is not passed to it. One would ideally call it before
> gss_init_sec_context() (and after gss_aquire_cred()) with the list of
> desired encryption type the user wants.
> {
> gss_aquire_cred() //acquire credentials
> ..
> gss_krb5_set_allowable_enctypes() // set the desired encryption type list
> , for eg:
> ..
> gss_init_sec_context() // start the GSS-API handshake
> ...
> }
> The encryption type that will finally get negotiated between the server and
> the client (during the init/accept handshake) will be used by
> gss_warp()/gss_unwarp() APIs.
>
> Thanks in advance!
> -Rathor
Yes, NFSv4 had the need for this function. It allows the Linux
user-land nfs-utils code to negotiate an encryption type that can be
supported by the kernel code -- which may not support the same
encryption types as the user-land code. With this function, you don't
have to set default_tkt_enctypes to the "least common denominator"
enctype, limiting the enctype choice of all applications on the
system.
K.C.
More information about the krbdev
mailing list