From 1619c3786c5b874b5fd88adc1f2fbaa50f2a95e4 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 25 Feb 2010 20:09:45 +0000 Subject: doc updates for allow_weak_crypto Update documentation to be more helpful about allow_weak_crypto. ticket: 6669 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23750 dc483132-0cff-0310-8789-dd5450dbe970 --- src/config-files/krb5.conf.M | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src') diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index b60836f3c1..9778e8178a 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -128,6 +128,14 @@ types that should be requested by the client, in the same format. This relation identifies the permitted list of session key encryption types. +.IP allow_weak_crypto +If this is set to 0 (for false), then weak encryption types will be +filtered out of the previous three lists. The default value for this +tag is false, which may cause authentication failures in existing +Kerberos infrastructures that do not support strong crypto. Users in +affected environments should set this tag to true until their +infrastructure adopts stronger ciphers. + .IP clockskew This relation sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message -- cgit