[OpenAFS] MIT kerberos 1.8 is released and disabled single DES by default
Simon Wilkinson
sxw@inf.ed.ac.uk
Wed, 3 Mar 2010 00:36:58 +0000
On 3 Mar 2010, at 00:28, Jason Edgecombe wrote:
> Hi,
>
> Since MIT released their kerberos 1.8 software today and it disables
> single DES by default, what steps should we take to educate new
> users about this? Any suggested specfiic documentation changes?
We should push people towards 1.4.12, when its released, which will
solve this problem (MIT added a hook to let us selectively enable weak
crypto for aklog, 1.4.12 uses that hook).
Users using older versions of OpenAFS will need to set
"allow_weak_crypto = true" in the libdefaults section of the krb5.conf
on all clients running MIT Kerberos 1.8.
S.