[OpenAFS] MIT kerberos 1.8 is released and disabled single DES by default

Simon Wilkinson sxw@inf.ed.ac.uk
Wed, 3 Mar 2010 00:36:58 +0000


On 3 Mar 2010, at 00:28, Jason Edgecombe wrote:

> Hi,
>
> Since MIT released their kerberos 1.8 software today and it disables  
> single DES by default, what steps should we take to educate new  
> users about this? Any suggested specfiic documentation changes?

We should push people towards 1.4.12, when its released, which will  
solve this problem (MIT added a hook to let us selectively enable weak  
crypto for aklog, 1.4.12 uses that hook).

Users using older versions of OpenAFS will need to set  
"allow_weak_crypto = true" in the libdefaults section of the krb5.conf  
on all clients running MIT Kerberos 1.8.

S.