On Wed, 22 Oct 2014, Jan Pospíšil wrote: > Is there a way one can force the default kerberos in Yosemite to > allow-weak-crypto? Or do I have to install for example the MIT or Heimdal > kerboeros separately as a workaround before our keys will be upgraded to a > different encryption type (may take rather long time)?
I would strongly suggest that you expend effort on hastening the upgrading of keys. http://web.mit.edu/achernya/Public/thesis.pdf describes much of the work done to support rxkad-k5 for OpenAFS, and has references for the extreme weakness of single-DES long-term keys. These keys can be cracked in under a day at a cost of less than 100 USD. I expect you value your data more highly than that. -Ben
