Skip Menu |

Subject: session_enctypes does nothing useful with DEFAULT
The session_enctypes string attribute, added in 1.11, uses the same
syntax for enctype lists as the three profile variables
(permitted_enctypes, default_tkt_enctypes, default_tgs_enctypes). But
unlike those variables, it evaluates DEFAULT to an empty list.

There are two reasonable options for fixing this: evaluate DEFAULT to
the same hardcoded default list as is used for the three profile
variables, or evaluate it to the value of permitted_enctypes (which the
KDC already uses to filter key data in DB entries).