[27425] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.11]: Clarify enctype settings in krb5_conf.rst
daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Dec 17 20:05:36 2012
Date: Mon, 17 Dec 2012 20:05:09 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201212180105.qBI15944015004@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/6d757949e3a4e76ce8a99dea56110736ede4530f
commit 6d757949e3a4e76ce8a99dea56110736ede4530f
Author: Tom Yu <tlyu@mit.edu>
Date: Mon Dec 17 19:22:52 2012 -0500
Clarify enctype settings in krb5_conf.rst
Clarify the krb5.conf settings default_tkt_enctypes and
default_tgs_enctypes in krb5_conf.rst.
(cherry picked from commit b11883ad8647a73a12a17c1be2c75f5365719342)
ticket: 7513
version_fixed: 1.11
status: resolved
doc/admin/conf_files/krb5_conf.rst | 20 +++++++++++++++-----
1 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 6911f5c..60a9d06 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -157,23 +157,33 @@ The libdefaults section may contain any of the following relations:
**default_tgs_enctypes**
Identifies the supported list of session key encryption types that
- should be returned by the KDC, in order of preference from
- highest to lowest. The list may be delimited with commas or
- whitespace. See :ref:`Encryption_and_salt_types` in
+ the client should request when making a TGS-REQ, in order of
+ preference from highest to lowest. The list may be delimited with
+ commas or whitespace. See :ref:`Encryption_and_salt_types` in
:ref:`kdc.conf(5)` for a list of the accepted values for this tag.
The default value is |defetypes|, but single-DES encryption types
will be implicitly removed from this list if the value of
**allow_weak_crypto** is false.
+ Do not set this unless required for specific backward
+ compatibility purposes; stale values of this setting can prevent
+ clients from taking advantage of new stronger enctypes when the
+ libraries are upgraded.
+
**default_tkt_enctypes**
Identifies the supported list of session key encryption types that
- should be requested by the client, in order of preference from
- highest to lowest. The format is the same as for
+ the client should request when making an AS-REQ, in order of
+ preference from highest to lowest. The format is the same as for
default_tgs_enctypes. The default value for this tag is
|defetypes|, but single-DES encryption types will be implicitly
removed from this list if the value of **allow_weak_crypto** is
false.
+ Do not set this unless required for specific backward
+ compatibility purposes; stale values of this setting can prevent
+ clients from taking advantage of new stronger enctypes when the
+ libraries are upgraded.
+
**dns_lookup_kdc**
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
