git.ipfire.org Git - thirdparty/krb5.git/commit

author	Robbie Harwood <rharwood@redhat.com>
	Tue, 14 Jan 2020 19:23:00 +0000 (14:23 -0500)
committer	Greg Hudson <ghudson@mit.edu>
	Thu, 23 Jan 2020 19:21:42 +0000 (14:21 -0500)
commit	8f13fb2342b2a715cfb694688e3435e7f11691f8
tree	d11853241c47aea171ee557a92260cae9368910a	tree
parent	fba01092b7beb097780f2482997c9e6cee0e7ed2	commit \| diff

Apply permitted_enctypes to KDC request enctypes

permitted_enctypes was initially intended only to restrict the
processing of AP requests (and was later applied to KDB key data
searches so that the KDC wouldn't issue a ticket it would refuse to
accept). Because the documentation was never clear about its scope,
many configurations assume that permitted_enctypes also applies to
clients.

In light of the existing configurations, take the simple way out and
use permitted_enctypes as the default for default_tkt_enctypes and
default_tgs_enctypes. Update the documentation, add a test to
explicitly check the new behavior, and remove now-unnecessary
configuration from the test suite.

[ghudson@mit.edu: unrolled helper function; edited documentation and
commit message; simplified test case]

ticket: 8869 (new)
tags: pullup
target_version: 1.18

doc/admin/conf_files/krb5_conf.rst		diff \| blob \| blame \| history
doc/admin/enctypes.rst		diff \| blob \| blame \| history
src/lib/krb5/krb/init_ctx.c		diff \| blob \| blame \| history
src/man/krb5.conf.man		diff \| blob \| blame \| history
src/tests/dejagnu/config/default.exp		diff \| blob \| blame \| history
src/tests/gssapi/t_enctypes.py		diff \| blob \| blame \| history
src/tests/t_sesskeynego.py		diff \| blob \| blame \| history
src/util/k5test.py		diff \| blob \| blame \| history