[OpenAFS] OpenAfs+Kerberos+OSXLion+Finder+Two Realms

Derrick Brashear shadow@gmail.com
Thu, 22 Sep 2011 12:37:32 -0400


On Thu, Sep 22, 2011 at 10:28 AM, Steve Simmons <scs@umich.edu> wrote:
>
> On Sep 22, 2011, at 8:04 AM, Ivan Glushkov wrote:
>
>>>
>>> Been getting it every since updating to Lion, but never got around to l=
ooking into it ?
>>>
>>
>> I added
>>
>> allow_weak_crypto =3D true
>>
>> in the [libdefaults] part of /etc/krb5.conf and it works for me. I have =
no idea what exactly this means - is my encryption somehow weaker?!
>
> Yes, tho I no longer recall the fine details. If memory serves, there are=
 some older encryption types in kerberos which are no longer recommended (d=
es3? des?). The code to handle them is still there, but the default is not =
to use or permit them to be used unless allow_weak_crypto =3D true.

it'd be single des.

that liability will be addressed with rxgk but in the meantime, fcrypt
relies on a single des key.




--=20
Derrick