spelling from Josef El-Rayes <josef@FreeBSD.org>
while here, write some text about the SPNEGO situation git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13837 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -109,15 +109,15 @@ implementations when using
|
|||||||
.Fn gss_get_mic
|
.Fn gss_get_mic
|
||||||
/
|
/
|
||||||
.Fn gss_verify_mic .
|
.Fn gss_verify_mic .
|
||||||
Its possible to modify the behavior of the generator of the MIC with
|
It is possible to modify the behavior of the generator of the MIC with
|
||||||
the
|
the
|
||||||
.Pa krb5.conf
|
.Pa krb5.conf
|
||||||
configuration file so that old clients/servers will still
|
configuration file so that old clients/servers will still
|
||||||
work.
|
work.
|
||||||
.Pp
|
.Pp
|
||||||
New clients/servers will try both the old and new MIC in Heimdal 0.6.
|
New clients/servers will try both the old and new MIC in Heimdal 0.6.
|
||||||
In 0.7 it will check only if configured and the compatibility code
|
In 0.7 it will check only if configured - the compatibility code will
|
||||||
will be removed in 0.8.
|
be removed in 0.8.
|
||||||
.Pp
|
.Pp
|
||||||
Heimdal 0.6 still generates by default the broken GSS-API DES3 mic,
|
Heimdal 0.6 still generates by default the broken GSS-API DES3 mic,
|
||||||
this will change in 0.7 to generate correct des3 mic.
|
this will change in 0.7 to generate correct des3 mic.
|
||||||
@@ -138,17 +138,29 @@ If a match for a entry is in both
|
|||||||
.Ar correct_des3_mic
|
.Ar correct_des3_mic
|
||||||
and
|
and
|
||||||
.Nm [gssapi]
|
.Nm [gssapi]
|
||||||
.Ar correct_des3_mic ,
|
.Ar broken_des3_mic ,
|
||||||
the later will override.
|
the later will override.
|
||||||
.Pp
|
.Pp
|
||||||
This config option modifies behaviour for both clients and servers.
|
This config option modifies behaviour for both clients and servers.
|
||||||
.Pp
|
.Pp
|
||||||
Example:
|
Microsoft implemented SPNEGO to Windows2000, however, they manage to
|
||||||
|
get it wrong, their implementation didn't fill in the MechListMIC in
|
||||||
|
the reply token with the right content.
|
||||||
|
There is a work around for this problem, but not all implementation
|
||||||
|
support it.
|
||||||
|
.Pp
|
||||||
|
Heimdal defaults to correct SPNEGO when the the kerberos
|
||||||
|
implementation uses CFX, or when its configured by the user.
|
||||||
|
To turn on compatibility with peers, use option
|
||||||
|
.Nm [gssapi]
|
||||||
|
.Ar require_mechlist_mic .
|
||||||
|
.Sh EXAMPLES
|
||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
[gssapi]
|
[gssapi]
|
||||||
broken_des3_mic = cvs/*@SU.SE
|
broken_des3_mic = cvs/*@SU.SE
|
||||||
broken_des3_mic = host/*@E.KTH.SE
|
broken_des3_mic = host/*@E.KTH.SE
|
||||||
correct_des3_mic = host/*@SU.SE
|
correct_des3_mic = host/*@SU.SE
|
||||||
|
require_mechlist_mic = host/*@SU.SE
|
||||||
.Ed
|
.Ed
|
||||||
.Sh BUGS
|
.Sh BUGS
|
||||||
All of 0.5.x versions of
|
All of 0.5.x versions of
|
||||||
|
|||||||
@@ -109,15 +109,15 @@ implementations when using
|
|||||||
.Fn gss_get_mic
|
.Fn gss_get_mic
|
||||||
/
|
/
|
||||||
.Fn gss_verify_mic .
|
.Fn gss_verify_mic .
|
||||||
Its possible to modify the behavior of the generator of the MIC with
|
It is possible to modify the behavior of the generator of the MIC with
|
||||||
the
|
the
|
||||||
.Pa krb5.conf
|
.Pa krb5.conf
|
||||||
configuration file so that old clients/servers will still
|
configuration file so that old clients/servers will still
|
||||||
work.
|
work.
|
||||||
.Pp
|
.Pp
|
||||||
New clients/servers will try both the old and new MIC in Heimdal 0.6.
|
New clients/servers will try both the old and new MIC in Heimdal 0.6.
|
||||||
In 0.7 it will check only if configured and the compatibility code
|
In 0.7 it will check only if configured - the compatibility code will
|
||||||
will be removed in 0.8.
|
be removed in 0.8.
|
||||||
.Pp
|
.Pp
|
||||||
Heimdal 0.6 still generates by default the broken GSS-API DES3 mic,
|
Heimdal 0.6 still generates by default the broken GSS-API DES3 mic,
|
||||||
this will change in 0.7 to generate correct des3 mic.
|
this will change in 0.7 to generate correct des3 mic.
|
||||||
@@ -138,17 +138,29 @@ If a match for a entry is in both
|
|||||||
.Ar correct_des3_mic
|
.Ar correct_des3_mic
|
||||||
and
|
and
|
||||||
.Nm [gssapi]
|
.Nm [gssapi]
|
||||||
.Ar correct_des3_mic ,
|
.Ar broken_des3_mic ,
|
||||||
the later will override.
|
the later will override.
|
||||||
.Pp
|
.Pp
|
||||||
This config option modifies behaviour for both clients and servers.
|
This config option modifies behaviour for both clients and servers.
|
||||||
.Pp
|
.Pp
|
||||||
Example:
|
Microsoft implemented SPNEGO to Windows2000, however, they manage to
|
||||||
|
get it wrong, their implementation didn't fill in the MechListMIC in
|
||||||
|
the reply token with the right content.
|
||||||
|
There is a work around for this problem, but not all implementation
|
||||||
|
support it.
|
||||||
|
.Pp
|
||||||
|
Heimdal defaults to correct SPNEGO when the the kerberos
|
||||||
|
implementation uses CFX, or when its configured by the user.
|
||||||
|
To turn on compatibility with peers, use option
|
||||||
|
.Nm [gssapi]
|
||||||
|
.Ar require_mechlist_mic .
|
||||||
|
.Sh EXAMPLES
|
||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
[gssapi]
|
[gssapi]
|
||||||
broken_des3_mic = cvs/*@SU.SE
|
broken_des3_mic = cvs/*@SU.SE
|
||||||
broken_des3_mic = host/*@E.KTH.SE
|
broken_des3_mic = host/*@E.KTH.SE
|
||||||
correct_des3_mic = host/*@SU.SE
|
correct_des3_mic = host/*@SU.SE
|
||||||
|
require_mechlist_mic = host/*@SU.SE
|
||||||
.Ed
|
.Ed
|
||||||
.Sh BUGS
|
.Sh BUGS
|
||||||
All of 0.5.x versions of
|
All of 0.5.x versions of
|
||||||
|
|||||||
Reference in New Issue
Block a user