diff options
| author | Ken Raeburn <raeburn@mit.edu> | 2004-06-10 21:46:01 +0000 |
|---|---|---|
| committer | Ken Raeburn <raeburn@mit.edu> | 2004-06-10 21:46:01 +0000 |
| commit | c008ef373a0b78cb4d9025421ca266a8aed009fd (patch) | |
| tree | d604caaa78d7e34a141245cd5686684d67b69cd4 /doc | |
| parent | 14433dbdc1573b07d64abcb8911cc489723ba1bb (diff) | |
* admin.texinfo (Supported Encryption Types): Reflect new AES support in
GSSAPI, but keep a warning about interoperability with old versions.
ticket: 2585
tags: pullup
target_version: 1.3.4
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16430 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/ChangeLog | 6 | ||||
| -rw-r--r-- | doc/admin.texinfo | 31 |
2 files changed, 20 insertions, 17 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog index af8281fe1..2d97803a7 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,9 @@ +2004-06-10 Ken Raeburn <raeburn@mit.edu> + + * admin.texinfo (Supported Encryption Types): Reflect new AES + support in GSSAPI, but keep a warning about interoperability with + old versions. + 2004-06-02 Ken Raeburn <raeburn@mit.edu> * threads.txt, thread-safe.txt: New files. diff --git a/doc/admin.texinfo b/doc/admin.texinfo index ec500025f..ec20a89d0 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -351,23 +351,20 @@ types can be set to some combination of the following strings. @include support-enc.texinfo While aes128-cts and aes256-cts are supported for all Kerberos -operations, they are not supported by the GSSAPI. AES GSSAPI support -will be added after the necessary standardization work is -completed. - -By default, AES is enabled on clients and application servers. -Because of the lack of support for GSSAPI, AES is disabled in the -default KDC supported_enctypes @ref{kdc.conf}. Sites wishing to use -AES encryption types on their KDCs need to be careful not to give -GSSAPI services AES keys. If GSSAPI services are given AES keys, then -services will start to fail in the future when clients supporting AES -for GSSAPI are deployed before updated servers that support AES for -GSSAPI. Sites may wish to use AES for user keys and for the ticket -granting ticket key, although doing so requires specifying what -encryption types are used as each principal is created. Alternatively -sites can use the default configuration which will make AES support -available in clients and servers but not actually use this support -until a future version of Kerberos adds support to GSSAPI. +operations, they are not supported by older versions of our GSSAPI +implementation (krb5-1.3.1 and earlier). + +By default, AES is enabled in this release. Sites wishing to use AES +encryption types on their KDCs need to be careful not to give GSSAPI +services AES keys if the servers have not been updated. If older +GSSAPI services are given AES keys, then services may fail when +clients supporting AES for GSSAPI are used. Sites may wish to use AES +for user keys and for the ticket granting ticket key, although doing +so requires specifying what encryption types are used as each +principal is created. + +If all GSSAPI-based services have been updated before or with the KDC, +this is not an issue. @node Salts, krb5.conf, Supported Encryption Types, Configuration Files @section Salts |