Sam Hartman <hartm...@debian.org> writes: > There's also the issue that it is a fairly security sensitive setting. > I think that weakening the security defaults like this is something the > user should at least know about.
> However it's possible we could do something in krb5-config. For > example, ask about allow_weak_crypto at priority low normally, but if we > find /usr/bin/aklog ask at priority high. Would that make things > better? The way Heimdal implemented the same restriction was to add an API that allowed the application to explicitly re-enable the DES enctype even if it was disabled, which their version of aklog uses. Note that the KDC administrator still has final control, so it's not obvious to me that this is a security concern. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
