Public bug reported: The allow_weak_crypto krb5.conf option was added to Heimdal during the 1.2 release, but was implemented incorrectly. The check for desired enctypes was performed before the check to see if allow_weak_crypto is true.
This has the unfortunate effect of resulting in a completely empty enctypes list if the configured list of desired enctypes contains only enctypes classified as "weak", since the "weak" enctypes are not valid choices (and are thus kicked out of contention) until after the filtering of the desired enctypes list is performed. This feature was implemented during the 1.2 release of Heimdal, on 2008-08-17: https://github.com/heimdal/heimdal/commit/aa3cf9664515246bb8a9674ef270ba9433e0f25c And the logic was corrected to the proper behavior after the release of 1.4, on 2010-10-02: https://github.com/heimdal/heimdal/commit/799956e9b7ebdeecd2df202638f7656a25664ed9 - Lucid provides Heimdal packages from the 1.2 branch (1.2.e1.dfsg.1-1ubuntu1) that contain the mis-implemented version. - Maverick provides Heimdal packages from the 1.4 branch (1.4.0~git20100605.dfsg.1-2) that pre-date the fix. - Natty contains Heimdal packages from the 1.4 branch (1.4.0+git20110124) that post-date the fix. In addition to being fixed upstream and released in Natty, a new enough version has also been released in Debian Experimental (1.4.0+git20110411.dfsg.1-1). ** Affects: heimdal (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/784255 Title: Lucid/Maverick heimdal packages have broken allow_weak_crypto implementation -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs