diff options
author | Nicolas Williams <nico@cryptonector.com> | 2012-06-04 17:17:31 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2012-06-06 13:46:17 -0400 |
commit | 0e9bf73d2b8da55aedd25061faefe6a22d9613d3 (patch) | |
tree | d39c9bf38401f5fec0c88f81dfc6945486f470d3 /src/kdc/extern.h | |
parent | dacb62f899329496f84e8b4bbc4c4dc94e585bd1 (diff) | |
download | krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.tar.gz krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.tar.xz krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.zip |
Add control over session key enctype negotiation
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
Diffstat (limited to 'src/kdc/extern.h')
-rw-r--r-- | src/kdc/extern.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/kdc/extern.h b/src/kdc/extern.h index 3866c6c1fd..c601e5702b 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -70,6 +70,7 @@ typedef struct __kdc_realm_data { krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */ krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */ krb5_boolean realm_restrict_anon; /* Anon to local TGT only */ + krb5_boolean realm_assume_des_crc_sess; /* Assume princs support des-cbc-crc for session keys */ } kdc_realm_t; extern kdc_realm_t **kdc_realmlist; @@ -91,6 +92,7 @@ kdc_realm_t *find_realm_data (char *, krb5_ui_4); #define tgs_server kdc_active_realm->realm_tgsprinc #define reject_bad_transit kdc_active_realm->realm_reject_bad_transit #define restrict_anon kdc_active_realm->realm_restrict_anon +#define assume_des_crc_sess kdc_active_realm->realm_assume_des_crc_sess /* various externs for KDC */ extern krb5_data empty_string; /* an empty string */ |