svn rev #22258: branches/krb5-1-7/doc/

tlyu@MIT.EDU tlyu at MIT.EDU
Wed Apr 15 16:07:56 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22258
Commit By: tlyu
Log Message:
ticket: 6452
version_fixed: 1.7

pull up r22188 from trunk
 ------------------------------------------------------------------------
 r22188 | ghudson | 2009-04-10 12:09:19 -0400 (Fri, 10 Apr 2009) | 8 lines
 Changed paths:
    M /trunk/doc/admin.texinfo
    M /trunk/doc/support-enc.texinfo

 ticket: 6452
 subject: Document allow_weak_crypto
 tags: pullup
 target_version: 1.7

 Also document which cryptosystems are defined to be weak, and add some
 enctype entries which weren't in the documentation.


Changed Files:
U   branches/krb5-1-7/doc/admin.texinfo
U   branches/krb5-1-7/doc/support-enc.texinfo
Modified: branches/krb5-1-7/doc/admin.texinfo
===================================================================
--- branches/krb5-1-7/doc/admin.texinfo	2009-04-15 20:07:53 UTC (rev 22257)
+++ branches/krb5-1-7/doc/admin.texinfo	2009-04-15 20:07:55 UTC (rev 22258)
@@ -355,6 +355,8 @@
 
 Any tag in the configuration files which requires a list of encryption
 types can be set to some combination of the following strings.
+Encryption types marked as ``weak'' are available for compatibility
+but not recommended for use.
 
 @include support-enc.texinfo
 
@@ -442,6 +444,12 @@
 key encryption.  The default value for this tag is
 @value{DefaultPermittedEnctypes}.
 
+ at itemx allow_weak_crypto
+If this is set to 0 (for false), then weak encryption types will be
+filtered out of the previous three lists (as noted in @ref{Supported
+Encryption Types}).  The default value for this tag is true, but that
+default may change in the future.
+
 @itemx clockskew
 Sets the maximum allowable amount of clockskew in seconds that the
 library  will tolerate before assuming that a Kerberos message is

Modified: branches/krb5-1-7/doc/support-enc.texinfo
===================================================================
--- branches/krb5-1-7/doc/support-enc.texinfo	2009-04-15 20:07:53 UTC (rev 22257)
+++ branches/krb5-1-7/doc/support-enc.texinfo	2009-04-15 20:07:55 UTC (rev 22258)
@@ -5,17 +5,21 @@
 
 @table @code
 @item des-cbc-crc 
-DES cbc mode with CRC-32
+DES cbc mode with CRC-32 (weak)
 @item des-cbc-md4 
-DES cbc mode with RSA-MD4
+DES cbc mode with RSA-MD4 (weak)
 @item des-cbc-md5 
-DES cbc mode with RSA-MD5
+DES cbc mode with RSA-MD5 (weak)
+ at item des-cbc-raw
+DES cbc mode raw (weak)
+ at item des3-cbc-raw
+Triple DES cbc mode raw (weak)
 @item des3-cbc-sha1 
 @itemx des3-hmac-sha1
 @itemx des3-cbc-sha1-kd
-triple DES cbc mode with HMAC/sha1
+Triple DES cbc mode with HMAC/sha1
 @item des-hmac-sha1 
-DES with HMAC/sha1
+DES with HMAC/sha1 (weak)
 @item aes256-cts-hmac-sha1-96
 @itemx aes256-cts
 AES-256 CTS mode with 96-bit SHA-1 HMAC
@@ -29,5 +33,5 @@
 @item arcfour-hmac-exp 
 @itemx rc4-hmac-exp
 @itemx arcfour-hmac-md5-exp
-exportable RC4 with HMAC/MD5
+Exportable RC4 with HMAC/MD5 (weak)
 @end table

More information about the cvs-krb5 mailing list