On 29.12.2014 23:31, Matt . wrote:
> But should an IPA install not add them by default ? Maybe this is some

I'm not sure that I understand what you mean, but DES is disabled on purpose
because it is completely insecure nowadays. Maybe you should try to rule it
out from your deployment.

According to [1], it was possible to attack DES key back in 2008. I don't want
to even guess how easy it has to be today. DES in Kerberos was formally
deprecated by RFC 6649 [2].

Also, -CRC variants are completely insecure by design (because it is malleable).

[1] http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology
[2] https://tools.ietf.org/html/rfc6649

Have a nice day!

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to