F40 Change Proposal: Deprecate_ntlm_in_cyrus_sasl (Self-Contained)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wiki -> https://fedoraproject.org/wiki/Changes/Deprecate_ntlm_in_cyrus_sasl

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.


== Summary ==

NTLM has been deprecated for years and is obsolete. Support for it
should be removed as a SASL mechanism. This is no longer supported by
cyrus-sasl upstream. The cyrus-sasl-ntlm subpackage should be removed.

== Owner ==
* Name: [[User:rcritten| Rob Crittenden]]
* Email: rcritten@xxxxxxxxxx.



== Detailed Description ==
NTLM authentication is a family of authentication protocols to
authenticate users and computers.  It has been supplanted by more
secure protocols (e.g. Kerberos).
[https://specopssoft.com/blog/microsoft-phases-out-ntlm-with-kerberos/
Microsoft is removing support for NTLM in favor of Kerberos in Windows
to boost security]

[https://en.wikipedia.org/wiki/NTLM#Availability_and_use_of_NTLM Since
2010, Microsoft no longer recommends NTLM in applications:]

    Implementers should be aware that NTLM does not support any recent
cryptographic methods, such as AES or SHA-256. It uses cyclic
redundancy checks (CRC) or MD5 for integrity, and RC4 for encryption.
    Deriving a key from a password is as specified in RFC1320 and
FIPS46-2. Therefore, applications are generally advised not to use
NTLM.

== Feedback ==

== Benefit to Fedora ==
The cyrus-sasl project dropped support for the ntlm plugin in July,
2023. This proposal removes an unsupported and insecure protocol.
Without upstream support from upstream this plugin is potentially a
heavy burden for Fedora packagers and a risk to security.

== Scope ==
* Proposal owners:
Proposal owner: Deprecate cyrus-sasl-ntlm. This will allow for
sub-package from the distribution in a future release.

* Other developers:
** There do not appear to be any packages that rely on cyrus-sasl-ntlm

* Release engineering:
Some coordination may be necessary so the subpackage never appears in
a given Fedora release. Ideally it is removed in rawhide before the
Fedora-next fork.

* Policies and guidelines: Release notes will be needed to announce
the deprecation and removal.

* Trademark approval: N/A (not needed for this Change)

* Alignment with Community Initiatives: N/A

== Upgrade/compatibility impact ==
Existing users of cyrus-sasl-ntlm will need to authenticate using a
different mechanism.

== How To Test ==

This will only affect a narrow set of users. It will be an exercise
for the end-user to determine which mechanism(s) may be a suitable
replacement.

== User Experience ==

This will not be visible to users that aren't using cyrus-sasl-ntml.
It will be '''very''' visible to those that are as they will have to
revise their authentication configuration in order to upgrade or
install the cyrus-sasl package.

== Dependencies ==
None.

== Contingency Plan ==

The proposal involves removing a subpackage from the spec file. There
backup plan is to not do it.

== Documentation ==

This was removed in upstream PR
https://github.com/cyrusimap/cyrus-sasl/issues/708

== Release Notes ==




-- 
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux