issue with krb5int_parse_enctype_list()

Greg Hudson ghudson at MIT.EDU
Thu Jan 20 23:55:32 EST 2011

On Thu, 2011-01-20 at 18:52 -0500, Will Fiveash wrote:
>         } else if (krb5_string_to_enctype(token, &etype) == 0) {
>             /* Set a specific enctype. */
>             mod_list(etype, sel, weak, &list);
>         }
> My concern is if the admin has mistyped when entering the enctypes for
> the enctype list parameters in krb5.conf won't this logic silently
> ignore the invalid enctype because an error return value from
> krb5_string_to_enctype() is ignored?  Shouldn't an error be set which
> can be output/syslogged?

That part of the code's behavior didn't change in 1.8.  In 1.7 and
prior, you'll see the same "just ignore the string if we can't turn it
into an enctype" logic.

Changing the behavior of the code now would carry significant risks:

* Config files which work currently could break after an upgrade.

* Config files written to include or exclude newer enctypes would break
with older Kerberos releases.

* If we ever remove an enctype (e.g. des-hmac-sha1 which as far as I can
tell should never have made it into a release), then that could break
config files written to include or exclude that enctype.

More information about the krbdev mailing list