On Oct 3, 2012, at 10:49 AM, Simo Sorce wrote:

> On Wed, 2012-10-03 at 13:26 -0400, Steve Dickson wrote:
>> Hello,
>> These issues were found at this Fall's Bake-a-ton... 
>> On 03/10/12 13:02, Chuck Lever wrote:
>>> Free IPA does not support weak crypto
>>>  https://bugzilla.linux-nfs.org/show_bug.cgi?id=229
> DES support is disabled on purpose, IETF also has an RFC approved that
> finally says DES *should* not be made available anymore.

SHOULD NOT means the IETF acknowledges that there are still legitimate reasons 
to allow des-crc-cbc in some cases.

> DES can be cracked in a matter of hours these days which makes its use
> questionable.

We know that des-crc-cbc is garbage, fwiw.  The point is there are plenty of 
legacy implementations that have to co-exist with Free IPA and with 
implementations that use only known-secure encryption types.

> DES can be re-enabled manually by twisting a bunch of knobs if you
> really want to. (including enable weak crypto in krb5.conf)

That wasn't enough for us, it was enabled on both the NFS server and client.  
Yes, we could have been "doing it wrong." :-)

We think backwards compatibility is one reason to continue to make the use of 
des-crc-cbc a first-class use case.

> So I would close as NOTABUG.
>>> Confusing debugging output when configuring NFS over Kerberos 
>>>  https://bugzilla.linux-nfs.org/show_bug.cgi?id=230
> Not much we (FreeIPA) can do about this one. GSSAPI error codes can be
> cryptic at time, but they are returned by libgssapi not FreeIPA.
> Maybe you can add more meat to the debug on the rpc.svcgssd side by
> printing out what principal you tried to use.
> If you can identify for sure what causes the error we can open a bug
> against MIT and see if there is a chance GSSAPI can properly identify
> the error. Unfortunately it doesn't help that there are many abstraction
> layers involved here and sometimes error messages get mangled/lost in
> the process :-/ (Basically KDC errors -> krb5 protocol level error ->
> libkrb5 level error -> libgssapi level error -> application)

Agree, we are trying to document these issues by filing bugs like this one.

Thanks for your comments.

Chuck Lever

Freeipa-devel mailing list

Reply via email to