Use keytab to select etypes in krb5_get_init_creds_keytab()

Stef Walter stefw at
Tue Apr 17 12:53:04 EDT 2012

On 04/16/2012 01:17 AM, Greg Hudson wrote:
> I do want this feature, but I have a few concerns about the patch:
> 1. This doesn't work with krb5_init_creds_set_keytab().
> 2. qsort() isn't a stable sort, so the resulting order of enctypes is
> unpredictable.
> 3. This patch could introduce enctypes not present in default_tkt_enctypes.
> 4. This patch could result in requesting weak enctypes when
> allow_weak_enctypes is false.
> Heimdal's approach doesn't have problems (1) or (2) but I think does
> have problem (3), and would have problem (4) except that Heimdal pushes
> allow_weak_enctypes down into the crypto layer.  I think what I would
> like to see is:
> 1. Make krb5_get_init_creds_keytab use krb5_init_creds_init and
> krb5_init_creds_set_keytab.  This will require some care because of the
> use_master fallback.
> 2. In krb5_init_creds_set_keytab, make a temporary list of the etypes
> present in the keytab (for the client principal) and then filter the
> current ctx->request->ktype list for membership in etypes, without
> changing the order.

Thanks for the review.

Here we go. I think the attached patch implements what you outlined.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-When-initing-credentials-for-keytab-limit-to-enctype.patch
Type: text/x-patch
Size: 9618 bytes
Desc: not available
Url :

More information about the krbdev mailing list