Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009
Nicolas Williams
Nicolas.Williams at sun.com
Fri Jan 30 12:08:45 EST 2009
I think several sets of interfaces are needed here.
- A krb5.conf knob to manage what long-term key enctypes are allowed
for pre-authentication.
This seems to be what the project is proposing.
The default for this option should be configurable at build time.
Vendors/distros should be able to set this default to match their
rules for incompatible changes and their customers needs.
- A kadmin/kadmin.local interface to manage what ticket encryption and
ticket session key enctypes are allowed for any principal acting as a
service principal.
- A kadmin/kadmin.local interface to manage what long-term key enctypes
are allowed for pre-authentication.
- A kadmin interface for retrieving realm-policy preferences for
existing and new enctype knobs in krb5.conf, so that tools like
Solaris' kclient(1M) can be used to update krb5.conf at realm-join
and re-key time.
I think it's fine to have one project for each of these sets of
interfaces. It'd be fine to have one project for all of them.
Nico
--
More information about the krbdev
mailing list