[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#629276: NFS needs same dispensation to use DES as AFS

On Fri, Jun 17, 2011 at 09:51:30PM +0200, Sergio Gelato wrote:
> It is true that you can enable the enctypes for all principals by adding
> [libdefaults]
> 	allow_weak_crypto = true
> to /etc/heimdal-kdc/kdc.conf, but that's a very blunt tool since only a
> few principals still need an exemption from the "no DES" policy. For my 
> own operations I'll definitely stick with my patch. A more universal
> solution would be to make the exception list configurable without
> recompiling the KDC, but that has to be balanced against the likely
> complexity of such a change.

So for some reason I thought the patch was more involved.  So yeah, you
can update that through proposed-updates.  If it misses the next point
release we can also push it through squeeze-updates, I think.

It's a bit sad that it's hardcoded but I think it's fair for NFS/AFS,
even though we got recent support for better crypto in the kernel.

Kind regards,
Philipp Kern
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: