On 29.12.2014 23:31, Matt . wrote: > But should an IPA install not add them by default ? Maybe this is some
I'm not sure that I understand what you mean, but DES is disabled on purpose because it is completely insecure nowadays. Maybe you should try to rule it out from your deployment. According to [1], it was possible to attack DES key back in 2008. I don't want to even guess how easy it has to be today. DES in Kerberos was formally deprecated by RFC 6649 [2]. Also, -CRC variants are completely insecure by design (because it is malleable). [1] http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology [2] https://tools.ietf.org/html/rfc6649 Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
