diff options
| author | Tom Yu <tlyu@mit.edu> | 2004-06-11 18:34:31 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2004-06-11 18:34:31 +0000 |
| commit | 86d19484a1151b1628698089c51751d02a147a46 (patch) | |
| tree | 4de07b6de710db814ac24a95c2df0d330a3a0ec6 | |
| parent | e0c9f3c48eb28a1e7ab004753deae431ef5469c1 (diff) | |
| download | krb5-86d19484a1151b1628698089c51751d02a147a46.zip krb5-86d19484a1151b1628698089c51751d02a147a46.tar.gz krb5-86d19484a1151b1628698089c51751d02a147a46.tar.bz2 | |
pullup from trunk
ticket: 2585
version_fixed: 1.3.4
version_reported: 1.3.3
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-3@16433 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | doc/ChangeLog | 6 | ||||
| -rw-r--r-- | doc/admin.texinfo | 31 |
2 files changed, 20 insertions, 17 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog index cafd2a4..52e2f69 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,9 @@ +2004-06-10 Ken Raeburn <raeburn@mit.edu> + + * admin.texinfo (Supported Encryption Types): Reflect new AES + support in GSSAPI, but keep a warning about interoperability with + old versions. + 2004-02-13 Tom Yu <tlyu@mit.edu> * build.texinfo (Solaris 9): Add section describing workaround for diff --git a/doc/admin.texinfo b/doc/admin.texinfo index ec50002..ec20a89 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -351,23 +351,20 @@ types can be set to some combination of the following strings. @include support-enc.texinfo While aes128-cts and aes256-cts are supported for all Kerberos -operations, they are not supported by the GSSAPI. AES GSSAPI support -will be added after the necessary standardization work is -completed. - -By default, AES is enabled on clients and application servers. -Because of the lack of support for GSSAPI, AES is disabled in the -default KDC supported_enctypes @ref{kdc.conf}. Sites wishing to use -AES encryption types on their KDCs need to be careful not to give -GSSAPI services AES keys. If GSSAPI services are given AES keys, then -services will start to fail in the future when clients supporting AES -for GSSAPI are deployed before updated servers that support AES for -GSSAPI. Sites may wish to use AES for user keys and for the ticket -granting ticket key, although doing so requires specifying what -encryption types are used as each principal is created. Alternatively -sites can use the default configuration which will make AES support -available in clients and servers but not actually use this support -until a future version of Kerberos adds support to GSSAPI. +operations, they are not supported by older versions of our GSSAPI +implementation (krb5-1.3.1 and earlier). + +By default, AES is enabled in this release. Sites wishing to use AES +encryption types on their KDCs need to be careful not to give GSSAPI +services AES keys if the servers have not been updated. If older +GSSAPI services are given AES keys, then services may fail when +clients supporting AES for GSSAPI are used. Sites may wish to use AES +for user keys and for the ticket granting ticket key, although doing +so requires specifying what encryption types are used as each +principal is created. + +If all GSSAPI-based services have been updated before or with the KDC, +this is not an issue. @node Salts, krb5.conf, Supported Encryption Types, Configuration Files @section Salts |