From: Tom Yu Date: Mon, 6 Oct 2014 18:32:21 +0000 (-0400) Subject: Document that newer AFS supports stronger crypto X-Git-Tag: krb5-1.14-alpha1~229 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b51ffb0c55a6c4c44501d86eb207acc79403c5c;p=thirdparty%2Fkrb5.git Document that newer AFS supports stronger crypto Modern OpenAFS releases support using encryption stronger than single DES with Kerberos. Update the documentation accordingly. ticket: 7761 target_version: 1.13 tags: pullup --- diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst index 2b80f3c571..8bcf83de21 100644 --- a/doc/admin/advanced/retiring-des.rst +++ b/doc/admin/advanced/retiring-des.rst @@ -380,21 +380,22 @@ Support for legacy services ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If there remain legacy services which do not support non-DES enctypes -(such as AFS), **allow_weak_crypto** must remain enabled on the KDC. -Client machines need not have this setting, though---applications -which require DES can use API calls to allow weak crypto on a per-request -basis, overriding the system krb5.conf. However, having **allow_weak_crypto** -set on the KDC means that any principals which have a DES key in the database -could still use those keys. To minimize the use of DES in the realm and -restrict it to just legacy services which require DES, it is necessary -to remove all other DES keys. The realm has been configured such that -at password and keytab change, no DES keys will be generated by default. -The task then reduces to requiring user password changes and having -server administrators update their service keytabs. Administrative -outreach will be necessary, and if the desire to eliminate DES is -sufficiently strong, the KDC administrators may choose to randkey -any principals which have not been rekeyed after some timeout period, -forcing the user to contact the helpdesk for access. +(such as older versions of AFS), **allow_weak_crypto** must remain +enabled on the KDC. Client machines need not have this setting, +though---applications which require DES can use API calls to allow +weak crypto on a per-request basis, overriding the system krb5.conf. +However, having **allow_weak_crypto** set on the KDC means that any +principals which have a DES key in the database could still use those +keys. To minimize the use of DES in the realm and restrict it to just +legacy services which require DES, it is necessary to remove all other +DES keys. The realm has been configured such that at password and +keytab change, no DES keys will be generated by default. The task +then reduces to requiring user password changes and having server +administrators update their service keytabs. Administrative outreach +will be necessary, and if the desire to eliminate DES is sufficiently +strong, the KDC administrators may choose to randkey any principals +which have not been rekeyed after some timeout period, forcing the +user to contact the helpdesk for access. The Database Master Key -----------------------