diff options
author | Greg Hudson <ghudson@mit.edu> | 2009-04-10 16:09:19 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2009-04-10 16:09:19 +0000 |
commit | 730246e51f84122079e79b248393d8f3b0291f86 (patch) | |
tree | bd35695eabff3d9ccc2e42be34f396344c40a3b8 | |
parent | 1358ab30265dd6e7cbda90a6dee45c3fa22b6e60 (diff) | |
download | krb5-730246e51f84122079e79b248393d8f3b0291f86.zip krb5-730246e51f84122079e79b248393d8f3b0291f86.tar.gz krb5-730246e51f84122079e79b248393d8f3b0291f86.tar.bz2 |
Document allow_weak_crypto
Also document which cryptosystems are defined to be weak, and add some
enctype entries which weren't in the documentation.
ticket: 6452
tags: pullup
target_version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22188 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | doc/admin.texinfo | 8 | ||||
-rw-r--r-- | doc/support-enc.texinfo | 16 |
2 files changed, 18 insertions, 6 deletions
diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 9a19837..fbfa91f 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -355,6 +355,8 @@ Following are definitions of some of the Kerberos terminology. Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. +Encryption types marked as ``weak'' are available for compatibility +but not recommended for use. @include support-enc.texinfo @@ -442,6 +444,12 @@ Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is @value{DefaultPermittedEnctypes}. +@itemx allow_weak_crypto +If this is set to 0 (for false), then weak encryption types will be +filtered out of the previous three lists (as noted in @ref{Supported +Encryption Types}). The default value for this tag is true, but that +default may change in the future. + @itemx clockskew Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is diff --git a/doc/support-enc.texinfo b/doc/support-enc.texinfo index ca4e8fa..c359db6 100644 --- a/doc/support-enc.texinfo +++ b/doc/support-enc.texinfo @@ -5,17 +5,21 @@ in krb5/src/lib/crypto/etypes.c (and krb5/src/include/krb5.h[in]?) @table @code @item des-cbc-crc -DES cbc mode with CRC-32 +DES cbc mode with CRC-32 (weak) @item des-cbc-md4 -DES cbc mode with RSA-MD4 +DES cbc mode with RSA-MD4 (weak) @item des-cbc-md5 -DES cbc mode with RSA-MD5 +DES cbc mode with RSA-MD5 (weak) +@item des-cbc-raw +DES cbc mode raw (weak) +@item des3-cbc-raw +Triple DES cbc mode raw (weak) @item des3-cbc-sha1 @itemx des3-hmac-sha1 @itemx des3-cbc-sha1-kd -triple DES cbc mode with HMAC/sha1 +Triple DES cbc mode with HMAC/sha1 @item des-hmac-sha1 -DES with HMAC/sha1 +DES with HMAC/sha1 (weak) @item aes256-cts-hmac-sha1-96 @itemx aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC @@ -29,5 +33,5 @@ RC4 with HMAC/MD5 @item arcfour-hmac-exp @itemx rc4-hmac-exp @itemx arcfour-hmac-md5-exp -exportable RC4 with HMAC/MD5 +Exportable RC4 with HMAC/MD5 (weak) @end table |