Re: Kerberos Mechanism - Supported MAX_SSF

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>It looks to me (from [1]) that we only support max_ssf of 56
>(i.e. DES-56) with GSSAPI implementation of Kerberos in Cyrus SASL. Can
>someone please confirm on this ? I am looking for AES 256 bit encryption
>with Kerberos mechanism. If that's not supported is there any plan for
>supporting it ? Please advice.

That information is not accurate.

There's not really a way for a GSSAPI mechanism to communicate what kind
of encryption algorithm it is using (your choices are "encryption" or
"no encryption").  So the Cyrus-SASL code hardcodes a SSF of 56 for all
GSSAPI mechanisms (you can look in the source code to confirm this).
But this has nothing to do with the ACTUAL encryption used; that's
chosen for you by Kerberos.  I wish the designers of GSSAPI had made a
way to determine the encryption algorithm or strength used when using
the wrap functions, but that wasn't done.  I can only tell you that when
I dug down into it, I convinced myself that as long as you negotiated a
strong session key you were getting strong encryption.  And you can look
at your Kerberos tickets to see the encryption type that was negotiated.

--Ken



[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux