** Changed in: krb5 (Debian)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1969676
Title:
Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1
Status in krb5 package in Ubuntu:
Triaged
Status in krb5 package in Debian:
Fix Released
Bug description:
When provisioning a new realm, this warning is logged in
/var/log/syslog:
==> /var/log/syslog <==
Apr 20 20:43:16 kdc systemd[1]: Starting Kerberos 5 Key Distribution
Center...
Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses
DEPRECATED enctype des3-cbc-sha1!
This comes from "master_key_type" in the default kdc.conf shipped in
krb5-kdc:
$ cat /usr/share/krb5-kdc/kdc.conf.template
[kdcdefaults]
kdc_ports = 750,88
[realms]
@MYREALM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
The kdc.conf manpage says that the current default is
"aes256-cts-hmac-sha1-96". The sample
kdc.conf in the documentation at
https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf
suggests just "master_key_type = aes256-cts".
Changing encryption defaults should be done carefully, even when
suggested by upstream. I filed bugs.debian.org/1009927 in debian as
well.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1969676/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
