https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c Jiří­ Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium CC| |jsuchome@novell.com AssignedTo|bnc-team-screening@forge.pr |jsuchome@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c1 Jiří­ Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO CC| |lnussel@novell.com InfoProvider| |mc@novell.com --- Comment #1 from Jiří­ Suchomel 2011-03-22 10:16:22 UTC --- (In reply to comment #0)

My suggestion is : Can you add box Download keytab file ? (similar as is for download certification for ldap client ? )

I think it could be good.

My suggestion is : Can you add allow weak crypto check box in the Kerberos Client ? the best place would be on the first list of advanced setting I think.

I also think it's fine to add this one, however

Ps : and what about one more list in the advanced setting for different type of encryption ?( like : des-cbc-crc des3-hmac-sha1 ) that would be nice too.

I'm not sure about these. Michael, what do you think? Does yast2 kerberos-client deserve new options to be set from UI? (And Ludwig, what do you you think about those security options?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c4 Michael Calmer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED CC| |mc@novell.com InfoProvider|mc@novell.com | --- Comment #4 from Michael Calmer 2011-03-22 11:47:53 UTC --- weak_crypto option is only available in newer versions of krb5. They have disabled single DES and you can enable it again with this option. But some services only support single DES, e.g. nfsv4 using GSSAPI. As I understand this, nfsv4 using crypto routines from the kernel. And the kernel support only single DES. This may have changed in newer kernel versions which might also support 3DES. I think a checkbox for allow_weak_crypto might be good, but configure a list of crypto things might be overkill. About the keytab: using wget is not a good option. The kadmin command provide an interface to add a key to a keytab. $> kadmin ... kadmin> ktadd host/xyz.example.com add the key for the principal host/xyz.example.com to the local keytab. This command works remote. Using this the kvno changes (key version number). If you need the same key on different hosts you need to copy it in a different way. Supporting things like this would lead into writing a GUI for kadmin. Which is in general a good idea, but overkill for yast2-kerberos-client. (I think yast2-kerberos-client should setup a working kerberos authentication and should not be a full admin interface) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c8 Michael Calmer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|mc@novell.com | --- Comment #8 from Michael Calmer 2011-04-01 08:02:55 UTC --- We will never have a major version update for kerberos in SLES11. And Comment#3 is not fully correct. Kerberos, also on sles11, support strong crypto. New versions of kerberos try to remove the weak crypto stuff. The checkbox is there to enable support of weak crypto again, because some services (e.g. nfsv4) require weak crypto. They do not work with strong crypto. So, if you don't want weak crypto, you need to fix the services, not kerberos :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c10 Jiří­ Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WONTFIX --- Comment #10 from Jiří­ Suchomel 2011-05-23 07:53:48 UTC --- Well, according to Michael's comments, I now think it would not make sense to add such extra options to YaST module... (Sorry, Martin, for encouraging you to file a request) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.