logo_kerberos.gif

Difference between revisions of "Projects/Enctype config enhancements"

From K5Wiki
Jump to: navigation, search
(New page: {{project-early}} Provide a means of specifying inclusions and exclusions in the configuration variables that are lists of enctypes. At present, the only way to specify a non-default enct...)
(No difference)

Revision as of 14:10, 29 January 2009

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Provide a means of specifying inclusions and exclusions in the configuration variables that are lists of enctypes. At present, the only way to specify a non-default enctype list is to explicitly list every enctype. This means that a configuration file with such an explicit list will inherently become out of date when future software releases update the default enctype lists.

One example is

permitted_enctypes = DEFAULT +des-cbc-crc

or

permitted_enctypes = DEFAULT -arcfour-hmac

where DEFAULT designates the default set of enctypes.

The OpenSSL cipher list format could be one option, but it is probably too complicated for this purpose.