Re: HEAD's UP: possible 0day SSH exploit in the wild
Peter Jordan <usernetwork@gmx.info> writes:
> Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
>> However, if you also have AFS, which I recall that you do, you can't
>> turn it off at that level. You have to leave DES as a supported
>> enctype since the AFS service key at present still has to be DES
>> (although we're working on that). In that case, you have to deal
>> with it at creation time for each principal. In other words, when
>> you do addprinc or ktadd for everything other than the AFS service
>> key, pass the -e "aes256-cts:normal" option to the command to force
>> the enctypes to be restricted to 256-bit AES.
> We use NFSv4.
I think the current version may have that same problem.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: