Package: krb5 Version: 1.19.2-2 Severity: normal Dear Maintainer,
when creating a new realm using `krb5_newrealm`, the following warning is logged in /var/log/syslog: Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1! This comes from the kdc.conf template in /usr/share/krb5-kdc/kdc.conf.template which has "master_key_type = des3-hmac-sha1". Maybe it's time to update that encryption type? The kdc.conf manpage says that the current default is "aes256-cts-hmac-sha1-96". The sample kdc.conf in the documentation at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf suggests just "master_key_type = aes256-cts". I understand there may be important upgrade path considerations. Given all the care and precautions that are shown for migrating away from single DES in https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html, changing the default master key type for fresh installs might also require careful planning and thought, but at some point this process must start. And upstream is now flagging DES3 as deprecated already.
