Use keytab to select etypes in krb5_get_init_creds_keytab()
Stef Walter
stefw at gnome.org
Tue Apr 17 12:53:04 EDT 2012
On 04/16/2012 01:17 AM, Greg Hudson wrote:
> I do want this feature, but I have a few concerns about the patch:
>
> 1. This doesn't work with krb5_init_creds_set_keytab().
> 2. qsort() isn't a stable sort, so the resulting order of enctypes is
> unpredictable.
> 3. This patch could introduce enctypes not present in default_tkt_enctypes.
> 4. This patch could result in requesting weak enctypes when
> allow_weak_enctypes is false.
>
> Heimdal's approach doesn't have problems (1) or (2) but I think does
> have problem (3), and would have problem (4) except that Heimdal pushes
> allow_weak_enctypes down into the crypto layer. I think what I would
> like to see is:
>
> 1. Make krb5_get_init_creds_keytab use krb5_init_creds_init and
> krb5_init_creds_set_keytab. This will require some care because of the
> use_master fallback.
>
> 2. In krb5_init_creds_set_keytab, make a temporary list of the etypes
> present in the keytab (for the client principal) and then filter the
> current ctx->request->ktype list for membership in etypes, without
> changing the order.
Thanks for the review.
Here we go. I think the attached patch implements what you outlined.
Cheers,
Stef
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-When-initing-credentials-for-keytab-limit-to-enctype.patch
Type: text/x-patch
Size: 9618 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120417/efd133eb/attachment.bin
More information about the krbdev
mailing list