[28616] in CVS-changelog-for-Kerberos-V5
krb5 commit: Document that newer AFS supports stronger crypto
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Oct 9 18:45:59 2014
Date: Thu, 9 Oct 2014 18:45:53 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201410092245.s99MjrI1031489@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/9b51ffb0c55a6c4c44501d86eb207acc79403c5c
commit 9b51ffb0c55a6c4c44501d86eb207acc79403c5c
Author: Tom Yu <tlyu@mit.edu>
Date: Mon Oct 6 14:32:21 2014 -0400
Document that newer AFS supports stronger crypto
Modern OpenAFS releases support using encryption stronger than single
DES with Kerberos. Update the documentation accordingly.
ticket: 7761
target_version: 1.13
tags: pullup
doc/admin/advanced/retiring-des.rst | 31 ++++++++++++++++---------------
1 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst
index 2b80f3c..8bcf83d 100644
--- a/doc/admin/advanced/retiring-des.rst
+++ b/doc/admin/advanced/retiring-des.rst
@@ -380,21 +380,22 @@ Support for legacy services
~~~~~~~~~~~~~~~~~~~~~~~~~~~
If there remain legacy services which do not support non-DES enctypes
-(such as AFS), **allow_weak_crypto** must remain enabled on the KDC.
-Client machines need not have this setting, though---applications
-which require DES can use API calls to allow weak crypto on a per-request
-basis, overriding the system krb5.conf. However, having **allow_weak_crypto**
-set on the KDC means that any principals which have a DES key in the database
-could still use those keys. To minimize the use of DES in the realm and
-restrict it to just legacy services which require DES, it is necessary
-to remove all other DES keys. The realm has been configured such that
-at password and keytab change, no DES keys will be generated by default.
-The task then reduces to requiring user password changes and having
-server administrators update their service keytabs. Administrative
-outreach will be necessary, and if the desire to eliminate DES is
-sufficiently strong, the KDC administrators may choose to randkey
-any principals which have not been rekeyed after some timeout period,
-forcing the user to contact the helpdesk for access.
+(such as older versions of AFS), **allow_weak_crypto** must remain
+enabled on the KDC. Client machines need not have this setting,
+though---applications which require DES can use API calls to allow
+weak crypto on a per-request basis, overriding the system krb5.conf.
+However, having **allow_weak_crypto** set on the KDC means that any
+principals which have a DES key in the database could still use those
+keys. To minimize the use of DES in the realm and restrict it to just
+legacy services which require DES, it is necessary to remove all other
+DES keys. The realm has been configured such that at password and
+keytab change, no DES keys will be generated by default. The task
+then reduces to requiring user password changes and having server
+administrators update their service keytabs. Administrative outreach
+will be necessary, and if the desire to eliminate DES is sufficiently
+strong, the KDC administrators may choose to randkey any principals
+which have not been rekeyed after some timeout period, forcing the
+user to contact the helpdesk for access.
The Database Master Key
-----------------------
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
