diff options
| author | Nicolas Williams <nico@cryptonector.com> | 2012-06-04 17:17:31 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-06-06 13:46:17 -0400 |
| commit | 0e9bf73d2b8da55aedd25061faefe6a22d9613d3 (patch) | |
| tree | d39c9bf38401f5fec0c88f81dfc6945486f470d3 /src/lib/kadm5 | |
| parent | dacb62f899329496f84e8b4bbc4c4dc94e585bd1 (diff) | |
| download | krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.tar.gz krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.tar.xz krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.zip | |
Add control over session key enctype negotiation
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
Diffstat (limited to 'src/lib/kadm5')
| -rw-r--r-- | src/lib/kadm5/admin.h | 2 | ||||
| -rw-r--r-- | src/lib/kadm5/alt_prof.c | 6 |
2 files changed, 8 insertions, 0 deletions
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index 4ce56c626..020962b09 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -297,6 +297,8 @@ typedef struct __krb5_realm_params { unsigned int realm_flags_valid:1; unsigned int realm_reject_bad_transit_valid:1; unsigned int realm_restrict_anon_valid:1; + unsigned int realm_assume_des_crc_sess:1; + unsigned int realm_assume_des_crc_sess_valid:1; krb5_int32 realm_num_keysalts; } krb5_realm_params; diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index f182ce643..2198cd1b1 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -1048,6 +1048,12 @@ krb5_read_realm_params(kcontext, realm, rparamp) rparams->realm_restrict_anon_valid = 1; } + hierarchy[2] = KRB5_CONF_ASSUME_DES_CRC_SESSION; + if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { + rparams->realm_assume_des_crc_sess = bvalue; + rparams->realm_assume_des_crc_sess_valid = 1; + } + hierarchy[2] = KRB5_CONF_NO_HOST_REFERRAL; if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls)) rparams->realm_no_host_referral = no_refrls; |