Project review: policy extensions

ghudson@MIT.EDU ghudson at MIT.EDU
Thu Jul 19 19:47:14 EDT 2012

Nico has developed an enhancement to extend kadm5 policy objects to
include new fields, much like we did in 1.8 for lockout support.  The
only new field implemented at this time is -keygenenctypes, which
restricts the enctype:salttype pairs a principal can use when
generating new keys, but there is also room in the extended policy
object for attribute flags, maximum ticket life and renewable life,
and tl-data for future extensions.

Here is the project writeup:

Feedback is appreciated.

More information about the krbdev mailing list