Thanks to you all. We will update the key tabs to use stronger encryption.
So as Russ was saying, it seems that it is NOT the newer version of mod_webauth that disabled the DES encryption, it is the underlying MIT Krb lib in CentOS that disabled it. Thanks again. On Nov 5, 2012, at 10:07 AM, Russ Allbery wrote: > Alan Ge <[email protected]> writes: > >> Thanks Gary, for the quick and detailed response. > >> I knew RedHat disabled DES by default in the krb client some time ago, >> and the allow_weak_crypto re-enables it. > >> But when I checked, the old server did not have this entry either. So I >> thought this was not it. > >> Now come to think of it, the older server is running Centos 5.5, and the >> new one is running Centos 6.2. > >> So somewhere in between, RedHat/CentOS might have disabled the DES by >> default. > > Yes, I'm fairly sure they did, since this was a change in the underlying > MIT Kerberos libraries that I believe disabled DES by default in that time > frame. > > -- > Russ Allbery <[email protected]> > Technical Lead, ITS Infrastructure Delivery Group, Stanford University
