[OpenAFS] MIT kerberos 1.8 is released and disabled single DES by default

Russ Allbery rra@stanford.edu
Wed, 03 Mar 2010 10:15:34 -0800

Harald Barth <haba@kth.se> writes:

> For heimdal, "afslog" is included in heimdal, and if I did not cheat
> myself during testing of 1.3.2rc2, it does not need the krb5.conf
> option, but for example heimdals telnet will need 
> allow_weak_crypto = yes
> (Insert rant that I want SSH KeyExchnage in all distros here)

> Another thing to keep an eye on would be the PAM module.

The PAM module included with AFS uses the kaserver calls in the AFS
libraries, so won't be affected.  pam-afs-session uses either an external
aklog program or the Heimdal libkafs to obtain tokens, both of which
handle this problem themselves.  I believe the Red Hat PAM module does the

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>