Hello debian-devel, What should I do with this bug?
I did build a version for unstable, but I am not convinced this change is needed for unstable. I am doubtful it will get accepted in stable, because it isn't fixing a grave bug. I am not sure it is appropriate for backports, because the change isn't in unstable. Thanks On 5 June 2011 19:25, Sergio Gelato <sergio.gel...@astro.su.se> wrote: > Package: heimdal-kdc > Version: 1.4.0~git20100726.dfsg.1-1 > Tags: patch > > Recent Heimdal KDC disables DES encryption types on the (valid) grounds that > they are too weak. An exception is made where the service principal is "afs" > since the work to upgrade AFS to support stronger crypto is still very much > in progress. > > Unfortunately, Kerberized NFS has a similar problem. Support for stronger > enctypes didn't make it into the Linux kernel until 2.6.35 (post-squeeze). > Until all NFS servers and clients have been upgraded to support stronger > enctypes, a site will want to enable DES enctypes for "nfs" service > principals. Here is a patch that does just that; I've successfully tested > it. I think it would be highly desirable to have this in squeeze; more > so, in fact, than in later releases since the need for DES support with > NFS service principals ought to decrease with time. > > Without this patch, the KDC rejects AS requests that specify DES enctypes > with "krb5_crypto_init failed: encryption type (1|2|3) not supported" > (illustrating another oddity, namely that krb5_crypto_init() uses the > same error message whether the enctype is unknown or known but disabled; > krb5_enctype_valid() has two distinct error messages) and TGS requests > result in "Server (nfs/f.q.d.n) has no support for etypes" (also in the > KDC's log). The client did have [libdefaults]allow_weak_crypto=true, as > shown by the fact that the AS and TGS requests asked for a DES enctype. -- Brian May <br...@microcomaustralia.com.au> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktiky1oyt+az4zbf3ihyyanfa-o6...@mail.gmail.com
