All, When I kinit from my macOS mojave machine against $dayjob's kdc, I get the following
mustelid:~ dmahoney$ kinit dmaho...@foo.org's password: Encryption type des3-cbc-sha1(16) used for authentication is weak and will be deprecated Searching for this message yields surprisingly little. My install of mojave has no krb5.conf, so it's using whatever the compiled-in defaults are. Here are my questions, then. q1: Is there a way of seeing what those are? (Or, of spewing out a krb5.conf that reflects the defaults?) q2: Is there a way of seeing which enctypes are supported on a krb5kdc (i.e. as part of the kinit process, not by looking in the filesystem). q3: On the same note, what are others in the modern world moving to with this algo being deprecated? Is there a current recommendation? If one disables des3-cbc-sha1, what versions of kerberos are you effectively blackholing? I've found links on the mit.edu page about des (single-des) being deprecated, but not 3des yet: https://web.mit.edu/kerberos/www/krb5-1.12/doc/admin/advanced/retiring-des.html But deprecation of 3des is mentioned in this internet draft: https://tools.ietf.org/id/draft-ietf-curdle-des-des-des-die-die-die-01.html (I have no idea about apple's internal processes, or what other vendors are following suit). -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org --------------------------- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
