From: Greg Hudson Date: Fri, 10 Apr 2009 16:09:19 +0000 (+0000) Subject: Document allow_weak_crypto X-Git-Tag: krb5-1.8-alpha1~553 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=730246e51f84122079e79b248393d8f3b0291f86;p=krb5.git Document allow_weak_crypto Also document which cryptosystems are defined to be weak, and add some enctype entries which weren't in the documentation. ticket: 6452 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22188 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 9a1983757..fbfa91f95 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -355,6 +355,8 @@ Following are definitions of some of the Kerberos terminology. Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. +Encryption types marked as ``weak'' are available for compatibility +but not recommended for use. @include support-enc.texinfo @@ -442,6 +444,12 @@ Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is @value{DefaultPermittedEnctypes}. +@itemx allow_weak_crypto +If this is set to 0 (for false), then weak encryption types will be +filtered out of the previous three lists (as noted in @ref{Supported +Encryption Types}). The default value for this tag is true, but that +default may change in the future. + @itemx clockskew Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is diff --git a/doc/support-enc.texinfo b/doc/support-enc.texinfo index ca4e8faab..c359db6ea 100644 --- a/doc/support-enc.texinfo +++ b/doc/support-enc.texinfo @@ -5,17 +5,21 @@ in krb5/src/lib/crypto/etypes.c (and krb5/src/include/krb5.h[in]?) @table @code @item des-cbc-crc -DES cbc mode with CRC-32 +DES cbc mode with CRC-32 (weak) @item des-cbc-md4 -DES cbc mode with RSA-MD4 +DES cbc mode with RSA-MD4 (weak) @item des-cbc-md5 -DES cbc mode with RSA-MD5 +DES cbc mode with RSA-MD5 (weak) +@item des-cbc-raw +DES cbc mode raw (weak) +@item des3-cbc-raw +Triple DES cbc mode raw (weak) @item des3-cbc-sha1 @itemx des3-hmac-sha1 @itemx des3-cbc-sha1-kd -triple DES cbc mode with HMAC/sha1 +Triple DES cbc mode with HMAC/sha1 @item des-hmac-sha1 -DES with HMAC/sha1 +DES with HMAC/sha1 (weak) @item aes256-cts-hmac-sha1-96 @itemx aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC @@ -29,5 +33,5 @@ RC4 with HMAC/MD5 @item arcfour-hmac-exp @itemx rc4-hmac-exp @itemx arcfour-hmac-md5-exp -exportable RC4 with HMAC/MD5 +Exportable RC4 with HMAC/MD5 (weak) @end table