From 0e9bf73d2b8da55aedd25061faefe6a22d9613d3 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 4 Jun 2012 17:17:31 -0500 Subject: Add control over session key enctype negotiation Adds a principal string attribute named "session_enctypes" which can specify what enctypes the principal supports for session keys. (For what it's worth, this actually allows one to list des-cbc-md5 as a supported session key enctype, though obviously this hardly matters now.) Add a [realms] section parameter for specifying whether to assume that principals (which lack the session_enctypes attribute) support des-cbc-crc for session keys. This allows those who still need to use allow_weak_crypto=true, for whatever reason, to start reducing the number of tickets issued with des-cbc-crc session keys to clients which still give des-cbc-crc preference in their default_tgs_enctypes list. [ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored test script; documented session_enctypes attribute] --- src/include/k5-int.h | 1 + 1 file changed, 1 insertion(+) (limited to 'src/include/k5-int.h') diff --git a/src/include/k5-int.h b/src/include/k5-int.h index ca18baf13..ee15eacd8 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -266,6 +266,7 @@ typedef INT64_TYPE krb5_int64; #define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit" #define KRB5_CONF_RENEW_LIFETIME "renew_lifetime" #define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT "restrict_anonymous_to_tgt" +#define KRB5_CONF_ASSUME_DES_CRC_SESSION "des_crc_session_supported" #define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type" #define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes" #define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime" -- cgit