[Touch-packages] [Bug 1981697] Re: KDC: weak crypto in default settings

Mon, 25 Jul 2022 05:21:06 -0700 

This was fixed in debian and is currently in kinetic-proposed:

https://launchpad.net/ubuntu/+source/krb5/1.20-1

I'm unsure how to approach this from an SRU perspective, given it's a
configuration setting in the default config file that is ship:

--- a/debian/kdc.conf
+++ b/debian/kdc.conf
@@ -10,7 +10,7 @@
         kdc_ports = 750,88
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
-        master_key_type = des3-hmac-sha1
+        #master_key_type = aes256-cts
         #supported_enctypes = aes256-cts:normal aes128-cts:normal
         default_principal_flags = +preauth
     }

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697

Title:
  KDC: weak crypto in default settings

Status in krb5 package in Ubuntu:
  Confirmed
Status in krb5 package in Debian:
  Unknown

Bug description:
  Default setting in /etc/krb5kdc/kdc.conf, as installed from krb5-kdc in 
Ubuntu 22.04 Server:
  master_key_type = des3-hmac-sha1

  3DES was deprecated by NIST in 2017, i.e. give years ago! Reference:
  https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-
  of-TDEA . This should not be a default since a very long time, and
  particularly not for new installations. If a compatibility with out-
  of-date installations is necessary, this should be explicitly made be
  the administrator.

  SHA-1 was deprecated as well, in 2011, i.e. eleven years ago!
  Reference:
  https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-131a.pdf
  .

  A reasonable default would probably be:
  master_key_type = aes256-cts-hmac-sha384-192

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: krb5-kdc 1.19.2-2
  ProcVersionSignature: Ubuntu 5.15.0-40.43-generic 5.15.35
  Uname: Linux 5.15.0-40-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.1
  Architecture: amd64
  CasperMD5CheckResult: pass
  Date: Thu Jul 14 12:34:22 2022
  InstallationDate: Installed on 2022-05-30 (45 days ago)
  InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Release amd64 
(20220421)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_IE.UTF-8
   SHELL=/bin/bash
  SourcePackage: krb5
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1981697/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to