Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
On 13.01.2016 15:06, Alexander Bokovoy wrote: On Mon, 23 Nov 2015, Simo Sorce wrote: Note, this does not touch the trust code because apparently we use only arcfour there. CCing Alexander to give me a comment about that, probably worth opening a ticket specific to trusts. Otherwise addresses #4740 Simo. -- Simo Sorce * Red Hat, Inc * New York From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 23 Nov 2015 13:40:42 -0500 Subject: [PATCH] Use only AES enctypes by default Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce Ticket: https://fedorahosted.org/freeipa/ticket/4740 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++--- install/share/kerberos.ldif | 2 -- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -55,18 +55,10 @@ extern const char *ipa_realm_dn; extern const char *ipa_etc_config_dn; extern const char *ipa_pwd_config_dn; -/* These are the default enc:salt types if nothing is defined. - * TODO: retrieve the configure set of ecntypes either from the - * kfc.conf file or by synchronizing the file content into - * the directory */ +/* These are the default enc:salt types if nothing is defined in LDAP */ static const char *ipapwd_def_encsalts[] = { -"des3-hmac-sha1:normal", -/*"arcfour-hmac:normal", -"des-hmac-sha1:normal", -"des-cbc-md5:normal", */ -"des-cbc-crc:normal", -/*"des-cbc-crc:v4", -"des-cbc-crc:afs3", */ +"aes256-cts:special", +"aes128-cts:special", NULL }; diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index 41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -30,8 +30,6 @@ krbMaxTicketLife: 86400 krbMaxRenewableAge: 604800 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special -krbDefaultEncSaltTypes: des3-hmac-sha1:special -krbDefaultEncSaltTypes: arcfour-hmac:special # Default password Policy dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX -- 2.5.0 ACK. Pushed to: master: 58ab032f1ae20454d4b9d760c7601fd8b44045f5 ipa-4-3: bad5b0247984635fe402283aee259f35a048df6b -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
On Mon, 23 Nov 2015, Simo Sorce wrote: Note, this does not touch the trust code because apparently we use only arcfour there. CCing Alexander to give me a comment about that, probably worth opening a ticket specific to trusts. Otherwise addresses #4740 Simo. -- Simo Sorce * Red Hat, Inc * New York From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 23 Nov 2015 13:40:42 -0500 Subject: [PATCH] Use only AES enctypes by default Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce Ticket: https://fedorahosted.org/freeipa/ticket/4740 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++--- install/share/kerberos.ldif | 2 -- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -55,18 +55,10 @@ extern const char *ipa_realm_dn; extern const char *ipa_etc_config_dn; extern const char *ipa_pwd_config_dn; -/* These are the default enc:salt types if nothing is defined. - * TODO: retrieve the configure set of ecntypes either from the - * kfc.conf file or by synchronizing the file content into - * the directory */ +/* These are the default enc:salt types if nothing is defined in LDAP */ static const char *ipapwd_def_encsalts[] = { -"des3-hmac-sha1:normal", -/*"arcfour-hmac:normal", -"des-hmac-sha1:normal", -"des-cbc-md5:normal", */ -"des-cbc-crc:normal", -/*"des-cbc-crc:v4", -"des-cbc-crc:afs3", */ +"aes256-cts:special", +"aes128-cts:special", NULL }; diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index 41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -30,8 +30,6 @@ krbMaxTicketLife: 86400 krbMaxRenewableAge: 604800 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special -krbDefaultEncSaltTypes: des3-hmac-sha1:special -krbDefaultEncSaltTypes: arcfour-hmac:special # Default password Policy dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX -- 2.5.0 ACK. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
On 23.11.2015 19:49, Simo Sorce wrote: Note, this does not touch the trust code because apparently we use only arcfour there. CCing Alexander to give me a comment about that, probably worth opening a ticket specific to trusts. Otherwise addresses #4740 Simo. Patch works for me, if Alexander agree, I can push it. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code