allow_weak_enctypes=false and AFS ghudson at
Tue Jan 19 13:58:58 EST 2010

Debian developers have an interest in making their OpenAFS packages
work with krb5 1.8 out of the box, and auto-editing krb5.conf is not
the most satisfactory solution.  For more background, see:

We are currently planning to add an API which aklog can use to
override the value of allow_weak_crypto, which might look like:

krb5_error_code krb5_allow_weak_crypto(krb5_context ctx, krb5_boolean enable);

This is different from Heimdal's krb5_enctype_enable(), but turns out
to be the easiest change we could make.  (Heimdal uses a rather
different architecture for enabling and disabling enctypes than we

We also appear to generate a confusing error message in the KDC log
when a client performs a TGS request without including any enctypes
present in the principal.  I'll fix that assuming it doesn't prove to
be too difficult.

More information about the krbdev mailing list