Peter Jordan <usernetw...@gmx.info> writes: > Let the option > master_key_type = des3-hmac-sha1 > as it is?
Yes. The master key isn't used on the network and changing it is very difficult in lenny. > No change in /etc/krb5.conf required? Correct. Clients will negotiate the strongest available encryption key automatically. > should i renew all host keys? Ideally, yes, since that will get them on AES only. If you have any existing keys that don't have AES keys, you do need to list fallback enctypes as supported until you've rekeyed them or you won't be able to authenticate to them. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
