Kerberos Mechanism - Supported MAX_SSF

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Feb 8 20:46:47 EST 2017


>It looks to me (from [1]) that we only support max_ssf of 56
>(i.e. DES-56) with GSSAPI implementation of Kerberos in Cyrus SASL. Can
>someone please confirm on this ? I am looking for AES 256 bit encryption
>with Kerberos mechanism. If that's not supported is there any plan for
>supporting it ? Please advice.

That information is not accurate.

There's not really a way for a GSSAPI mechanism to communicate what kind
of encryption algorithm it is using (your choices are "encryption" or
"no encryption").  So the Cyrus-SASL code hardcodes a SSF of 56 for all
GSSAPI mechanisms (you can look in the source code to confirm this).
But this has nothing to do with the ACTUAL encryption used; that's
chosen for you by Kerberos.  I wish the designers of GSSAPI had made a
way to determine the encryption algorithm or strength used when using
the wrap functions, but that wasn't done.  I can only tell you that when
I dug down into it, I convinced myself that as long as you negotiated a
strong session key you were getting strong encryption.  And you can look
at your Kerberos tickets to see the encryption type that was negotiated.

--Ken


More information about the Cyrus-sasl mailing list