[28624] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.13]: Document that newer AFS supports stronger
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Oct 15 18:28:32 2014
Date: Wed, 15 Oct 2014 18:28:27 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201410152228.s9FMSRAi022530@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/fe19aa61a8193dc8add1d85b13a80ece3b8b3ced
commit fe19aa61a8193dc8add1d85b13a80ece3b8b3ced
Author: Tom Yu <tlyu@mit.edu>
Date: Mon Oct 6 14:32:21 2014 -0400
Document that newer AFS supports stronger crypto
Modern OpenAFS releases support using encryption stronger than single
DES with Kerberos. Update the documentation accordingly.
(cherry picked from commit 9b51ffb0c55a6c4c44501d86eb207acc79403c5c)
ticket: 7761
version_fixed: 1.13
status: resolved
doc/admin/advanced/retiring-des.rst | 31 ++++++++++++++++---------------
1 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst
index 2b80f3c..8bcf83d 100644
--- a/doc/admin/advanced/retiring-des.rst
+++ b/doc/admin/advanced/retiring-des.rst
@@ -380,21 +380,22 @@ Support for legacy services
~~~~~~~~~~~~~~~~~~~~~~~~~~~
If there remain legacy services which do not support non-DES enctypes
-(such as AFS), **allow_weak_crypto** must remain enabled on the KDC.
-Client machines need not have this setting, though---applications
-which require DES can use API calls to allow weak crypto on a per-request
-basis, overriding the system krb5.conf. However, having **allow_weak_crypto**
-set on the KDC means that any principals which have a DES key in the database
-could still use those keys. To minimize the use of DES in the realm and
-restrict it to just legacy services which require DES, it is necessary
-to remove all other DES keys. The realm has been configured such that
-at password and keytab change, no DES keys will be generated by default.
-The task then reduces to requiring user password changes and having
-server administrators update their service keytabs. Administrative
-outreach will be necessary, and if the desire to eliminate DES is
-sufficiently strong, the KDC administrators may choose to randkey
-any principals which have not been rekeyed after some timeout period,
-forcing the user to contact the helpdesk for access.
+(such as older versions of AFS), **allow_weak_crypto** must remain
+enabled on the KDC. Client machines need not have this setting,
+though---applications which require DES can use API calls to allow
+weak crypto on a per-request basis, overriding the system krb5.conf.
+However, having **allow_weak_crypto** set on the KDC means that any
+principals which have a DES key in the database could still use those
+keys. To minimize the use of DES in the realm and restrict it to just
+legacy services which require DES, it is necessary to remove all other
+DES keys. The realm has been configured such that at password and
+keytab change, no DES keys will be generated by default. The task
+then reduces to requiring user password changes and having server
+administrators update their service keytabs. Administrative outreach
+will be necessary, and if the desire to eliminate DES is sufficiently
+strong, the KDC administrators may choose to randkey any principals
+which have not been rekeyed after some timeout period, forcing the
+user to contact the helpdesk for access.
The Database Master Key
-----------------------
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5