Wiki -> https://fedoraproject.org/wiki/Changes/Deprecate_ntlm_in_cyrus_sasl This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == NTLM has been deprecated for years and is obsolete. Support for it should be removed as a SASL mechanism. This is no longer supported by cyrus-sasl upstream. The cyrus-sasl-ntlm subpackage should be removed. == Owner == * Name: [[User:rcritten| Rob Crittenden]] * Email: rcritten@xxxxxxxxxx. == Detailed Description == NTLM authentication is a family of authentication protocols to authenticate users and computers. It has been supplanted by more secure protocols (e.g. Kerberos). [https://specopssoft.com/blog/microsoft-phases-out-ntlm-with-kerberos/ Microsoft is removing support for NTLM in favor of Kerberos in Windows to boost security] [https://en.wikipedia.org/wiki/NTLM#Availability_and_use_of_NTLM Since 2010, Microsoft no longer recommends NTLM in applications:] Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy checks (CRC) or MD5 for integrity, and RC4 for encryption. Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM. == Feedback == == Benefit to Fedora == The cyrus-sasl project dropped support for the ntlm plugin in July, 2023. This proposal removes an unsupported and insecure protocol. Without upstream support from upstream this plugin is potentially a heavy burden for Fedora packagers and a risk to security. == Scope == * Proposal owners: Proposal owner: Deprecate cyrus-sasl-ntlm. This will allow for sub-package from the distribution in a future release. * Other developers: ** There do not appear to be any packages that rely on cyrus-sasl-ntlm * Release engineering: Some coordination may be necessary so the subpackage never appears in a given Fedora release. Ideally it is removed in rawhide before the Fedora-next fork. * Policies and guidelines: Release notes will be needed to announce the deprecation and removal. * Trademark approval: N/A (not needed for this Change) * Alignment with Community Initiatives: N/A == Upgrade/compatibility impact == Existing users of cyrus-sasl-ntlm will need to authenticate using a different mechanism. == How To Test == This will only affect a narrow set of users. It will be an exercise for the end-user to determine which mechanism(s) may be a suitable replacement. == User Experience == This will not be visible to users that aren't using cyrus-sasl-ntml. It will be '''very''' visible to those that are as they will have to revise their authentication configuration in order to upgrade or install the cyrus-sasl package. == Dependencies == None. == Contingency Plan == The proposal involves removing a subpackage from the spec file. There backup plan is to not do it. == Documentation == This was removed in upstream PR https://github.com/cyrusimap/cyrus-sasl/issues/708 == Release Notes == -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue