krb5 commit [krb5-1.11]: Clarify enctype settings in krb5_conf.rst

Tom Yu tlyu at MIT.EDU
Mon Dec 17 20:05:09 EST 2012 

https://github.com/krb5/krb5/commit/6d757949e3a4e76ce8a99dea56110736ede4530f
commit 6d757949e3a4e76ce8a99dea56110736ede4530f
Author: Tom Yu <tlyu at mit.edu>
Date:   Mon Dec 17 19:22:52 2012 -0500

    Clarify enctype settings in krb5_conf.rst
    
    Clarify the krb5.conf settings default_tkt_enctypes and
    default_tgs_enctypes in krb5_conf.rst.
    
    (cherry picked from commit b11883ad8647a73a12a17c1be2c75f5365719342)
    
    ticket: 7513
    version_fixed: 1.11
    status: resolved

 doc/admin/conf_files/krb5_conf.rst |   20 +++++++++++++++-----
 1 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 6911f5c..60a9d06 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -157,23 +157,33 @@ The libdefaults section may contain any of the following relations:
 
 **default_tgs_enctypes**
     Identifies the supported list of session key encryption types that
-    should be returned by the KDC, in order of preference from
-    highest to lowest.  The list may be delimited with commas or
-    whitespace.  See :ref:`Encryption_and_salt_types` in
+    the client should request when making a TGS-REQ, in order of
+    preference from highest to lowest.  The list may be delimited with
+    commas or whitespace.  See :ref:`Encryption_and_salt_types` in
     :ref:`kdc.conf(5)` for a list of the accepted values for this tag.
     The default value is |defetypes|, but single-DES encryption types
     will be implicitly removed from this list if the value of
     **allow_weak_crypto** is false.
 
+    Do not set this unless required for specific backward
+    compatibility purposes; stale values of this setting can prevent
+    clients from taking advantage of new stronger enctypes when the
+    libraries are upgraded.
+
 **default_tkt_enctypes**
     Identifies the supported list of session key encryption types that
-    should be requested by the client, in order of preference from
-    highest to lowest.  The format is the same as for
+    the client should request when making an AS-REQ, in order of
+    preference from highest to lowest.  The format is the same as for
     default_tgs_enctypes.  The default value for this tag is
     |defetypes|, but single-DES encryption types will be implicitly
     removed from this list if the value of **allow_weak_crypto** is
     false.
 
+    Do not set this unless required for specific backward
+    compatibility purposes; stale values of this setting can prevent
+    clients from taking advantage of new stronger enctypes when the
+    libraries are upgraded.
+
 **dns_lookup_kdc**
     Indicate whether DNS SRV records should be used to locate the KDCs
     and other servers for a realm, if they are not listed in the

More information about the cvs-krb5 mailing list