Re: Support of Kerberos V5 safe and private messages for LDAP

[Norbert Klasen <norbert.klasen@daasi.de>]

--On Donnerstag, 7. Februar 2002 13:28 -0200 Andreas Hasenack 
<andreas@conectiva.com.br> wrote:

> > SASL/GSSAPI authentication started
> > SASL SSF: 56
> > SASL installing layers
>
> Why is it using 56 bits only? I saw this here too, even though I'm only
> using 3DES kerberos tickets (if that's related). Where is this security
> layer negotiated/configured?

"56" is hardcoded in the cyrus-sasl gssapi plugin.

RFC1964 references RFC1510 and has only one confidentiality algorithm:
4.2.2. Confidentiality Algorithms

  Only one confidentiality QOP value is currently defined for the
  Kerberos V5 GSS-API mechanism:

  GSS_KRB5_CONF_C_QOP_DES         (numeric value: 0)
          /* Confidentiality with DES */

Does MIT Kerberos define a new QOP value for their 3DES extension?

One should probably take a look at the IDs for the revision of SASL and 
GSSAPI...

--
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 Tübingen                           email: norbert.klasen@daasi.de
Germany                                  web:   http://www.daasi.de