Luke Howard <[email protected]> writes: > On 15/08/2011, at 5:27 AM, Chris Hecker wrote:
>> I have a closed system that doesn't need to interoperate with any other >> kerberos servers. Shuld I just force everything to >> ENCTYPE_AES256_CTS_HMAC_SHA1_96? Is there a downside to doing this? > In configuration files, do what you like but -- if you're writing code, > I would try and be a little more flexible. e.g. you could call > krb5_get_permitted_enctypes() and select the first (I'm sure Greg will > have a better idea). Yes, for configuration it's not a horrible idea, but in your code, if someone breaks AES and you want to switch to Camellia or something else, you don't want to have to do code patches. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
