Also added preauth-use-strongest-session-key krb5.conf kdc parameter, similar to {as, tgs}-use-strongest-session-key. The latter two control ticket session key enctype selection in the AS and TGS cases, respectively, while the former controls PA-ETYPE-INFO2 enctype selection in the AS case.

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2011-04-06 00:52:18 -05:00
parent a7a8a7e95c
commit 481fe133b2
4 changed files with 14 additions and 3 deletions
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -411,6 +411,10 @@ client's AS-REQ enctype list, that is also supported by the KDC and the
 target principal, for the ticket session key. Else it will prefer the
 first key from the client's AS-REQ enctype list that is also supported
 by the KDC and the target principal. Defaults to TRUE.
+.It Li preauth-use-strongest-session-key = Va BOOL
+Like as-use-strongest-session-key, but applies to the session key
+enctype selection for PA-ETYPE-INFO2 (i.e., for password-based
+pre-authentication). Defaults to TRUE.
 .It Li tgs-use-strongest-session-key = Va BOOL
 Like as-use-strongest-session-key, but applies to the session key
 enctype of tickets issued by the TGS. Defaults to TRUE.