svn rev #23751: branches/krb5-1-8/ doc/ src/config-files/

tlyu@MIT.EDU tlyu at MIT.EDU
Thu Feb 25 15:14:21 EST 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23751
Commit By: tlyu
Log Message:
ticket: 6669
version_fixed: 1.8
status: resolved

pull up r23750 from trunk

 ------------------------------------------------------------------------
 r23750 | tlyu | 2010-02-25 15:09:45 -0500 (Thu, 25 Feb 2010) | 7 lines

 ticket: 6669
 target_version: 1.8
 tags: pullup
 subject: doc updates for allow_weak_crypto

 Update documentation to be more helpful about allow_weak_crypto.


Changed Files:
U   branches/krb5-1-8/doc/admin.texinfo
U   branches/krb5-1-8/src/config-files/krb5.conf.M
Modified: branches/krb5-1-8/doc/admin.texinfo
===================================================================
--- branches/krb5-1-8/doc/admin.texinfo	2010-02-25 20:09:45 UTC (rev 23750)
+++ branches/krb5-1-8/doc/admin.texinfo	2010-02-25 20:14:21 UTC (rev 23751)
@@ -456,8 +456,11 @@
 @itemx allow_weak_crypto
 If this is set to 0 (for false), then weak encryption types will be
 filtered out of the previous three lists (as noted in @ref{Supported
-Encryption Types}).  The default value for this tag is true, but that
-default may change in the future.
+Encryption Types}).  The default value for this tag is false, which
+may cause authentication failures in existing Kerberos infrastructures
+that do not support strong crypto.  Users in affected environments
+should set this tag to true until their infrastructure adopts stronger
+ciphers.
 
 @itemx clockskew
 Sets the maximum allowable amount of clockskew in seconds that the

Modified: branches/krb5-1-8/src/config-files/krb5.conf.M
===================================================================
--- branches/krb5-1-8/src/config-files/krb5.conf.M	2010-02-25 20:09:45 UTC (rev 23750)
+++ branches/krb5-1-8/src/config-files/krb5.conf.M	2010-02-25 20:14:21 UTC (rev 23751)
@@ -128,6 +128,14 @@
 This relation identifies the permitted list of session key encryption
 types.
 
+.IP allow_weak_crypto
+If this is set to 0 (for false), then weak encryption types will be
+filtered out of the previous three lists.  The default value for this
+tag is false, which may cause authentication failures in existing
+Kerberos infrastructures that do not support strong crypto.  Users in
+affected environments should set this tag to true until their
+infrastructure adopts stronger ciphers.
+
 .IP clockskew 
 This relation sets the maximum allowable amount of clockskew in seconds
 that the library will tolerate before assuming that a Kerberos message

More information about the cvs-krb5 mailing list