From: Ken Raeburn Date: Thu, 10 Jun 2004 21:46:01 +0000 (+0000) Subject: * admin.texinfo (Supported Encryption Types): Reflect new AES support in X-Git-Tag: krb5-1.4-beta1~342 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=c008ef373a0b78cb4d9025421ca266a8aed009fd;p=krb5.git * admin.texinfo (Supported Encryption Types): Reflect new AES support in GSSAPI, but keep a warning about interoperability with old versions. ticket: 2585 tags: pullup target_version: 1.3.4 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16430 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/ChangeLog b/doc/ChangeLog index af8281fe1..2d97803a7 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,9 @@ +2004-06-10 Ken Raeburn + + * admin.texinfo (Supported Encryption Types): Reflect new AES + support in GSSAPI, but keep a warning about interoperability with + old versions. + 2004-06-02 Ken Raeburn * threads.txt, thread-safe.txt: New files. diff --git a/doc/admin.texinfo b/doc/admin.texinfo index ec500025f..ec20a89d0 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -351,23 +351,20 @@ types can be set to some combination of the following strings. @include support-enc.texinfo While aes128-cts and aes256-cts are supported for all Kerberos -operations, they are not supported by the GSSAPI. AES GSSAPI support -will be added after the necessary standardization work is -completed. - -By default, AES is enabled on clients and application servers. -Because of the lack of support for GSSAPI, AES is disabled in the -default KDC supported_enctypes @ref{kdc.conf}. Sites wishing to use -AES encryption types on their KDCs need to be careful not to give -GSSAPI services AES keys. If GSSAPI services are given AES keys, then -services will start to fail in the future when clients supporting AES -for GSSAPI are deployed before updated servers that support AES for -GSSAPI. Sites may wish to use AES for user keys and for the ticket -granting ticket key, although doing so requires specifying what -encryption types are used as each principal is created. Alternatively -sites can use the default configuration which will make AES support -available in clients and servers but not actually use this support -until a future version of Kerberos adds support to GSSAPI. +operations, they are not supported by older versions of our GSSAPI +implementation (krb5-1.3.1 and earlier). + +By default, AES is enabled in this release. Sites wishing to use AES +encryption types on their KDCs need to be careful not to give GSSAPI +services AES keys if the servers have not been updated. If older +GSSAPI services are given AES keys, then services may fail when +clients supporting AES for GSSAPI are used. Sites may wish to use AES +for user keys and for the ticket granting ticket key, although doing +so requires specifying what encryption types are used as each +principal is created. + +If all GSSAPI-based services have been updated before or with the KDC, +this is not an issue. @node Salts, krb5.conf, Supported Encryption Types, Configuration Files @section Salts