Marcus Watts wrote: >> Marcus Watts wrote: >>> I'm in the process of adding "configurable crypto support" to k5ssl, >>> part of rxk5 for openafs. I have the configuration logic working with >>> all the features listed below, I just have to merge it in with other >>> changes also in the queue (such as windows support, verifykt, etc...) >> "kvno -k keytab" and krb5_server_decrypt_ticket_keytab() have been >> committed to the MIT Kerberos tree for 1.7. > > Good. I doubt kvno -k does exactly what I have, but still good.
It takes the ticket and decrypts it using krb5_server_decrypt_ticket_keytab(). > Good to hear about krb5_server_decrypt_ticket_keytab too. The other functionality you require will be committed shortly. This will include krb5_get_init_creds_with_keytab, the associated shortcut function, and an implementation of a MEMORY: keytab. >>> rc4exp is a degraded version of rc4 has an effective key space of 40 bits, >>> done by microsoft for export purposes. I don't know if microsoft still >>> does this, but I believe neither heimdal nor mit support this anymore. >>> There's certainly no reason to advertise or use this >>> with openafs. >> Please do not implement this. Microsoft implemented this in the 90s >> prior to receiving world-wide export permission for RC4-HMAC. There >> is no public implementation of this cipher suite. > > There is or was a public implementation in MIT for this. It's > certainly in 1.5, and I recall first finding it in some much > earlier version. I'm not completely sure that they don't have > it today. I agree it's not very desirable. This was implemented years ago by Sam Hartman when it was believed that it would be required for interop. It isn't. I agree it should be removed from MIT's Kerberos. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
