From f70d290faea0ed8a9e41553c56eb673bb1d08cb8 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Sat, 31 Jan 2009 03:57:20 +0000 Subject: [PATCH] Default allow_weak_crypto=true for now. Default supported_enctypes to exclude single-DES enctypes. ticket: 6353 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21851 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/osconf.hin | 5 +++++ src/lib/kadm5/alt_prof.c | 2 +- src/lib/krb5/krb/init_ctx.c | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/include/osconf.hin b/src/include/osconf.hin index 6feb22338..339e4b228 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -101,6 +101,11 @@ #define DEFAULT_KADM5_ACL_FILE "@LOCALSTATEDIR/krb5kdc/kadm5.acl" #define DEFAULT_KADM5_PORT 749 /* assigned by IANA */ +#define KRB5_DEFAULT_SUPPORTED_ENCTYPES \ + "aes256-cts-hmac-sha1-96:normal " \ + "aes128-cts-hmac-sha1-96:normal " \ + "des3-cbc-sha1:normal arcfour-hmac-md5:normal" + #define MAX_DGRAM_SIZE 4096 #define MAX_SKDC_TIMEOUT 30 #define SKDC_TIMEOUT_SHIFT 2 /* left shift of timeout for backoff */ diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index ae9d84c7f..7ad59ab4d 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -749,7 +749,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, if (aprofile) krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); if (svalue == NULL) - svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal"); + svalue = strdup(KRB5_DEFAULT_SUPPORTED_ENCTYPES); params.keysalts = NULL; params.num_keysalts = 0; diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index bab143e6f..69f7ad887 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -172,7 +172,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) goto cleanup; retval = profile_get_boolean(ctx->profile, "libdefaults", - "allow_weak_crypto", NULL, 0, &tmp); + "allow_weak_crypto", NULL, 1, &tmp); if (retval) goto cleanup; ctx->allow_weak_crypto = tmp; -- 2.26.2