diff options
| author | Tom Yu <tlyu@mit.edu> | 2012-12-17 19:22:52 -0500 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2012-12-17 19:22:52 -0500 |
| commit | b11883ad8647a73a12a17c1be2c75f5365719342 (patch) | |
| tree | 373b8432b4c754f3f3b1c6d6c0e2312d65dea2e0 /doc/admin/conf_files/krb5_conf.rst | |
| parent | 58774a2c96b3c19368b48864698b97f6e020cae4 (diff) | |
| download | krb5-b11883ad8647a73a12a17c1be2c75f5365719342.tar.gz krb5-b11883ad8647a73a12a17c1be2c75f5365719342.tar.xz krb5-b11883ad8647a73a12a17c1be2c75f5365719342.zip | |
Clarify enctype settings in krb5_conf.rst
Clarify the krb5.conf settings default_tkt_enctypes and
default_tgs_enctypes in krb5_conf.rst.
ticket: 7513 (new)
target_version: 1.11
tags: pullup
Diffstat (limited to 'doc/admin/conf_files/krb5_conf.rst')
| -rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 6911f5c69a..60a9d06ff2 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -157,23 +157,33 @@ The libdefaults section may contain any of the following relations: **default_tgs_enctypes** Identifies the supported list of session key encryption types that - should be returned by the KDC, in order of preference from - highest to lowest. The list may be delimited with commas or - whitespace. See :ref:`Encryption_and_salt_types` in + the client should request when making a TGS-REQ, in order of + preference from highest to lowest. The list may be delimited with + commas or whitespace. See :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list of the accepted values for this tag. The default value is |defetypes|, but single-DES encryption types will be implicitly removed from this list if the value of **allow_weak_crypto** is false. + Do not set this unless required for specific backward + compatibility purposes; stale values of this setting can prevent + clients from taking advantage of new stronger enctypes when the + libraries are upgraded. + **default_tkt_enctypes** Identifies the supported list of session key encryption types that - should be requested by the client, in order of preference from - highest to lowest. The format is the same as for + the client should request when making an AS-REQ, in order of + preference from highest to lowest. The format is the same as for default_tgs_enctypes. The default value for this tag is |defetypes|, but single-DES encryption types will be implicitly removed from this list if the value of **allow_weak_crypto** is false. + Do not set this unless required for specific backward + compatibility purposes; stale values of this setting can prevent + clients from taking advantage of new stronger enctypes when the + libraries are upgraded. + **dns_lookup_kdc** Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the |