[Freeipa-users] KDC has no support for encryption type
Petr Spacek
pspacek at redhat.com
Mon Jan 5 08:47:28 UTC 2015
On 29.12.2014 23:31, Matt . wrote:
> But should an IPA install not add them by default ? Maybe this is some
I'm not sure that I understand what you mean, but DES is disabled on purpose
because it is completely insecure nowadays. Maybe you should try to rule it
out from your deployment.
According to [1], it was possible to attack DES key back in 2008. I don't want
to even guess how easy it has to be today. DES in Kerberos was formally
deprecated by RFC 6649 [2].
Also, -CRC variants are completely insecure by design (because it is malleable).
[1] http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology
[2] https://tools.ietf.org/html/rfc6649
Have a nice day!
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list