>It looks to me (from [1]) that we only support max_ssf of 56 >(i.e. DES-56) with GSSAPI implementation of Kerberos in Cyrus SASL. Can >someone please confirm on this ? I am looking for AES 256 bit encryption >with Kerberos mechanism. If that's not supported is there any plan for >supporting it ? Please advice. That information is not accurate. There's not really a way for a GSSAPI mechanism to communicate what kind of encryption algorithm it is using (your choices are "encryption" or "no encryption"). So the Cyrus-SASL code hardcodes a SSF of 56 for all GSSAPI mechanisms (you can look in the source code to confirm this). But this has nothing to do with the ACTUAL encryption used; that's chosen for you by Kerberos. I wish the designers of GSSAPI had made a way to determine the encryption algorithm or strength used when using the wrap functions, but that wasn't done. I can only tell you that when I dug down into it, I convinced myself that as long as you negotiated a strong session key you were getting strong encryption. And you can look at your Kerberos tickets to see the encryption type that was negotiated. --Ken
