logo_kerberos.gif

Projects/Enctype config enhancements

From K5Wiki
< Projects
Revision as of 14:10, 29 January 2009 by TomYu (talk | contribs) (New page: {{project-early}} Provide a means of specifying inclusions and exclusions in the configuration variables that are lists of enctypes. At present, the only way to specify a non-default enct...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Provide a means of specifying inclusions and exclusions in the configuration variables that are lists of enctypes. At present, the only way to specify a non-default enctype list is to explicitly list every enctype. This means that a configuration file with such an explicit list will inherently become out of date when future software releases update the default enctype lists.

One example is

permitted_enctypes = DEFAULT +des-cbc-crc

or

permitted_enctypes = DEFAULT -arcfour-hmac

where DEFAULT designates the default set of enctypes.

The OpenSSL cipher list format could be one option, but it is probably too complicated for this purpose.