oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Rename and fix as/tgs-use-strongest-key config parameters

Browse Source 
Different ticket session key enctype selection options should
    distinguish between target principal type (krbtgt vs. not), not
    between KDC request types.
This commit is contained in:
Nicolas Williams
2011-11-25 17:21:04 -06:00
parent c930853dd1
commit c757eb7fb0
5 changed files with 31 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
lib/krb5/krb5.conf.5
View File

@@ -432,19 +432,22 @@ Default is the same as
.Va enable-kerberos4 .
.It Li enable-http = Va BOOL
Should the kdc answer kdc-requests over http.
.It Li as-use-strongest-session-key = Va BOOL
.It Li tgt-use-strongest-session-key = Va BOOL
If this is TRUE then the KDC will prefer the strongest key from the
client's AS-REQ enctype list, that is also supported by the KDC and the
target principal, for the ticket session key. Else it will prefer the
first key from the client's AS-REQ enctype list that is also supported
by the KDC and the target principal. Defaults to TRUE.
client's AS-REQ or TGS-REQ enctype list for the ticket session key that
is supported by the KDC and the target principal when the target
principal is a krbtgt principal. Else it will prefer the first key from
the client's AS-REQ enctype list that is also supported by the KDC and
the target principal. Defaults to TRUE.
.It Li svc-use-strongest-session-key = Va BOOL
Like tgt-use-strongest-session-key, but applies to the session key
enctype of tickets for services other than krbtgt principals. Defaults
to TRUE.
.It Li preauth-use-strongest-session-key = Va BOOL
Like as-use-strongest-session-key, but applies to the session key
enctype selection for PA-ETYPE-INFO2 (i.e., for password-based
pre-authentication). Defaults to TRUE.
.It Li tgs-use-strongest-session-key = Va BOOL
Like as-use-strongest-session-key, but applies to the session key
enctype of tickets issued by the TGS. Defaults to TRUE.
If TRUE then select the strongest possible enctype from the client's
AS-REQ for PA-ETYPE-INFO2 (i.e., for password-based pre-authentication).
Else pick the first supported enctype from the client's AS-REQ. Defaults
to TRUE.
.It Li use-strongest-server-key = Va BOOL
If TRUE then the KDC picks, for the ticket encrypted part's key, the
first supported enctype from the target service principal's hdb entry's