------------------------------------------------------------------------
r23750 | tlyu | 2010-02-25 15:09:45 -0500 (Thu, 25 Feb 2010) | 7 lines
ticket: 6669
target_version: 1.8
tags: pullup
subject: doc updates for allow_weak_crypto
Update documentation to be more helpful about allow_weak_crypto.
ticket: 6669
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23751
dc483132-0cff-0310-8789-
dd5450dbe970
@itemx allow_weak_crypto
If this is set to 0 (for false), then weak encryption types will be
filtered out of the previous three lists (as noted in @ref{Supported
-Encryption Types}). The default value for this tag is true, but that
-default may change in the future.
+Encryption Types}). The default value for this tag is false, which
+may cause authentication failures in existing Kerberos infrastructures
+that do not support strong crypto. Users in affected environments
+should set this tag to true until their infrastructure adopts stronger
+ciphers.
@itemx clockskew
Sets the maximum allowable amount of clockskew in seconds that the
This relation identifies the permitted list of session key encryption
types.
+.IP allow_weak_crypto
+If this is set to 0 (for false), then weak encryption types will be
+filtered out of the previous three lists. The default value for this
+tag is false, which may cause authentication failures in existing
+Kerberos infrastructures that do not support strong crypto. Users in
+affected environments should set this tag to true until their
+infrastructure adopts stronger ciphers.
+
.IP clockskew
This relation sets the maximum allowable amount of clockskew in seconds
that the library will tolerate before assuming that a Kerberos message
projects / krb5.git / commitdiff