Details
-
Type:
Sub-task
-
Status: Closed
-
Priority:
P3
-
Resolution: Delivered
-
Affects Version/s: 17
-
Fix Version/s: 17
-
Component/s: security-libs
-
Labels:
-
Subcomponent:
Description
The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set "allow_weak_crypto = true" in the `krb5.conf` configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.