Well, I'm setting the profile in code, so I'll have to patch anyway, but I'll do the krb5_get_permitted_enctypes() thing, I had a todo to try to figure out how to get the default out of the context/profile, so at least it's only hard coded in one place now. :)
Thanks, Chris On 2011/08/15 10:38, Russ Allbery wrote: > Luke Howard<[email protected]> writes: >> On 15/08/2011, at 5:27 AM, Chris Hecker wrote: > >>> I have a closed system that doesn't need to interoperate with any other >>> kerberos servers. Shuld I just force everything to >>> ENCTYPE_AES256_CTS_HMAC_SHA1_96? Is there a downside to doing this? > >> In configuration files, do what you like but -- if you're writing code, >> I would try and be a little more flexible. e.g. you could call >> krb5_get_permitted_enctypes() and select the first (I'm sure Greg will >> have a better idea). > > Yes, for configuration it's not a horrible idea, but in your code, if > someone breaks AES and you want to switch to Camellia or something else, > you don't want to have to do code patches. > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
