Nico Williams wrote: > On Wed, Oct 11, 2017 at 05:47:58PM +0700, Victor Sudakov wrote: > > "kadmin -l" by default creates principals with the following Keytypes: > > aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), > > arcfour-hmac-md5(pw-salt). > > > > How do I create a principal with the weak des-cbc-crc keytype? The > > "add" command does not seem to support the specification of > > encryption types. > > > > There is an option "allow_weak_crypto = true" for krb5.conf, but I > > don't understand in which section it should be for "kadmin -l" to > > honour it. > > Hmmm, yeah, we don't have a -e argument for specifying a list of > enctypes (or, rather, keysalttype). > > Anyways, you can set the [kadmin] section default_keys parameter to a > list of keysalttypes like so: > > [kadmin] > default_keys = aes256-cts-hmac-sha1-96:pw-salt > default_keys = des3-cbc-sha1:pw-salt > default_keys = arcfour-hmac-md5:pw-salt > > (That's the baked-in default list, FYI. We should probably drop des3 > and arcfour and add aes128.) >
Many thanks, this worked. I have made a note to memorize this: https://victor-sudakov.dreamwidth.org/424888.html -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
