Unfortunately, pre-1.7 krshd fails to support keyed checksums because

it uses the wrong API and wrong key usage.  So, if the auth_context
has an explicit checksum type set, then respect that.  kcmd sets such
a checksum type.  Also, because other applications may have the same
problem, allow the config file variable if set to override the default
checksum.

* kcmd.c: Force use of rsa_md5
* init_ctx.c: do not default  to md5
* mk_req_ext.c: allow auth_context to override

ticket: 1624

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22160 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 2 insertions, 2 deletions

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index f106e2e347..9a19837576 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -462,8 +462,8 @@ Kerberos library.  The default is @value{DefaultKDCTimesync}.
 An integer which specifies the type of checksum to use.  Used for
 compatability with DCE security servers which do not support the
 default @value{DefaultChecksumType} used by this version of Kerberos.
-Note that the ap_req_checksum_type variable's value is ignored.  The
-kdc_req_checksum_type is only used for DES keys.   The possible values and their meanings are as follows.
+The
+kdc_req_checksum_type is only used for DES keys.   The ap_req_checksum_type defaults to the preferred checksum for the encryption type being used if unset.  If set, then the selected checksum is used regardless of the type of key being used.  The possible values and their meanings are as follows.
 
 @comment taken from krb5/src/include/krb5.h[in]
 @table @b