>>>>> "Russ" == Russ Allbery <r...@debian.org> writes:
Russ> Vasilis Vasaitis <v.vasai...@sms.ed.ac.uk> writes:
>> However, IMHO this is an unsatisfactory solution. Packages should
>> ideally work correctly with their default settings, and therefore
>> having each person that needs openafs-krb5 edit krb5.conf is not
>> ideal. So I was wondering if the maintainers involved have a way
>> in mind to avoid this? A conf.d style solution perhaps? Patching
>> openafs-krb5 so that it specifies the setting programmatically in
>> its code? Something else?
Russ> Unfortunately, MIT Kerberos doesn't support conf.d-style
Russ> krb5.conf files, and I don't believe there's any way to set
Russ> this parameter programmatically rather than in the krb5.conf
Russ> file.
There's also the issue that it is a fairly security sensitive setting.
I think that weakening the security defaults like this is something the
user should at least know about.
However it's possible we could do something in krb5-config. For
example, ask about allow_weak_crypto at priority low normally, but if we
find /usr/bin/aklog ask at priority high.
Would that make things better?
--sam
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
