Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
On 13.01.2016 15:06, Alexander Bokovoy wrote:
On Mon, 23 Nov 2015, Simo Sorce wrote:
Note, this does not touch the trust code because apparently we use only
arcfour there.
CCing Alexander to give me a comment about that, probably worth opening
a ticket specific to trusts.
Otherwise addresses #4740
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 23 Nov 2015 13:40:42 -0500
Subject: [PATCH] Use only AES enctypes by default
Remove des3 and arcfour from the defaults for new installs.
NOTE: the ipasam/dcerpc code sill uses arcfour
Signed-off-by: Simo Sorce
Ticket: https://fedorahosted.org/freeipa/ticket/4740
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++---
install/share/kerberos.ldif | 2 --
2 files changed, 3 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index
1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d
100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -55,18 +55,10 @@ extern const char *ipa_realm_dn;
extern const char *ipa_etc_config_dn;
extern const char *ipa_pwd_config_dn;
-/* These are the default enc:salt types if nothing is defined.
- * TODO: retrieve the configure set of ecntypes either from the
- * kfc.conf file or by synchronizing the file content into
- * the directory */
+/* These are the default enc:salt types if nothing is defined in
LDAP */
static const char *ipapwd_def_encsalts[] = {
-"des3-hmac-sha1:normal",
-/*"arcfour-hmac:normal",
-"des-hmac-sha1:normal",
-"des-cbc-md5:normal", */
-"des-cbc-crc:normal",
-/*"des-cbc-crc:v4",
-"des-cbc-crc:afs3", */
+"aes256-cts:special",
+"aes128-cts:special",
NULL
};
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index
41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d
100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -30,8 +30,6 @@ krbMaxTicketLife: 86400
krbMaxRenewableAge: 604800
krbDefaultEncSaltTypes: aes256-cts:special
krbDefaultEncSaltTypes: aes128-cts:special
-krbDefaultEncSaltTypes: des3-hmac-sha1:special
-krbDefaultEncSaltTypes: arcfour-hmac:special
# Default password Policy
dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
--
2.5.0
ACK.
Pushed to:
master: 58ab032f1ae20454d4b9d760c7601fd8b44045f5
ipa-4-3: bad5b0247984635fe402283aee259f35a048df6b
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
On Mon, 23 Nov 2015, Simo Sorce wrote:
Note, this does not touch the trust code because apparently we use only
arcfour there.
CCing Alexander to give me a comment about that, probably worth opening
a ticket specific to trusts.
Otherwise addresses #4740
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 23 Nov 2015 13:40:42 -0500
Subject: [PATCH] Use only AES enctypes by default
Remove des3 and arcfour from the defaults for new installs.
NOTE: the ipasam/dcerpc code sill uses arcfour
Signed-off-by: Simo Sorce
Ticket: https://fedorahosted.org/freeipa/ticket/4740
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++---
install/share/kerberos.ldif | 2 --
2 files changed, 3 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index
1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d
100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -55,18 +55,10 @@ extern const char *ipa_realm_dn;
extern const char *ipa_etc_config_dn;
extern const char *ipa_pwd_config_dn;
-/* These are the default enc:salt types if nothing is defined.
- * TODO: retrieve the configure set of ecntypes either from the
- * kfc.conf file or by synchronizing the file content into
- * the directory */
+/* These are the default enc:salt types if nothing is defined in LDAP */
static const char *ipapwd_def_encsalts[] = {
-"des3-hmac-sha1:normal",
-/*"arcfour-hmac:normal",
-"des-hmac-sha1:normal",
-"des-cbc-md5:normal", */
-"des-cbc-crc:normal",
-/*"des-cbc-crc:v4",
-"des-cbc-crc:afs3", */
+"aes256-cts:special",
+"aes128-cts:special",
NULL
};
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index
41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d
100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -30,8 +30,6 @@ krbMaxTicketLife: 86400
krbMaxRenewableAge: 604800
krbDefaultEncSaltTypes: aes256-cts:special
krbDefaultEncSaltTypes: aes128-cts:special
-krbDefaultEncSaltTypes: des3-hmac-sha1:special
-krbDefaultEncSaltTypes: arcfour-hmac:special
# Default password Policy
dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
--
2.5.0
ACK.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
On 23.11.2015 19:49, Simo Sorce wrote: Note, this does not touch the trust code because apparently we use only arcfour there. CCing Alexander to give me a comment about that, probably worth opening a ticket specific to trusts. Otherwise addresses #4740 Simo. Patch works for me, if Alexander agree, I can push it. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
