diff options
| author | Tom Yu <tlyu@mit.edu> | 2010-02-25 20:14:21 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2010-02-25 20:14:21 +0000 |
| commit | 63e187c4fb6d5b2377279be3d5b6c6367d3debb4 (patch) | |
| tree | 6ffc30bd99abf82b35bf5eef1c34271de019a236 | |
| parent | 39c6d76b5e15540ef8bc60b02e61169377760e71 (diff) | |
| download | krb5-63e187c4fb6d5b2377279be3d5b6c6367d3debb4.zip krb5-63e187c4fb6d5b2377279be3d5b6c6367d3debb4.tar.gz krb5-63e187c4fb6d5b2377279be3d5b6c6367d3debb4.tar.bz2 | |
pull up r23750 from trunk
------------------------------------------------------------------------
r23750 | tlyu | 2010-02-25 15:09:45 -0500 (Thu, 25 Feb 2010) | 7 lines
ticket: 6669
target_version: 1.8
tags: pullup
subject: doc updates for allow_weak_crypto
Update documentation to be more helpful about allow_weak_crypto.
ticket: 6669
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23751 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | doc/admin.texinfo | 7 | ||||
| -rw-r--r-- | src/config-files/krb5.conf.M | 8 |
2 files changed, 13 insertions, 2 deletions
diff --git a/doc/admin.texinfo b/doc/admin.texinfo index b7c87ac..5e80af3 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -456,8 +456,11 @@ key encryption. The default value for this tag is @itemx allow_weak_crypto If this is set to 0 (for false), then weak encryption types will be filtered out of the previous three lists (as noted in @ref{Supported -Encryption Types}). The default value for this tag is true, but that -default may change in the future. +Encryption Types}). The default value for this tag is false, which +may cause authentication failures in existing Kerberos infrastructures +that do not support strong crypto. Users in affected environments +should set this tag to true until their infrastructure adopts stronger +ciphers. @itemx clockskew Sets the maximum allowable amount of clockskew in seconds that the diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index b60836f..9778e81 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -128,6 +128,14 @@ types that should be requested by the client, in the same format. This relation identifies the permitted list of session key encryption types. +.IP allow_weak_crypto +If this is set to 0 (for false), then weak encryption types will be +filtered out of the previous three lists. The default value for this +tag is false, which may cause authentication failures in existing +Kerberos infrastructures that do not support strong crypto. Users in +affected environments should set this tag to true until their +infrastructure adopts stronger ciphers. + .IP clockskew This relation sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message |