Hi Chuck,
On Sun, 15 Jan 2023, Chuck Lever wrote:
From: Chuck Lever <chuck.lever@xxxxxxxxxx>
Because the DES block cipher has been deprecated by Internet
standard, highly secure configurations might require that DES
support be blacklisted or not installed. NFS Kerberos should still
be able to work correctly with only the AES-based enctypes in that
situation.
Also note that MIT Kerberos has begun a deprecation process for DES
encryption types. Their README for 1.19.3 states:
Beginning with the krb5-1.19 release, a warning will be issued
if initial credentials are acquired using the des3-cbc-sha1
encryption type. In future releases, this encryption type will
be disabled by default and eventually removed.
Beginning with the krb5-1.18 release, single-DES encryption
types have been removed.
Aside from the CONFIG option name change, there are two important
policy changes:
1. The 'insecure enctype' group is now disabled by default.
Distributors have to take action to enable support for deprecated
enctypes. Implementation of these enctypes will be removed in a
future kernel release.
2. des3-cbc-sha1 is now considered part of the 'insecure enctype'
group, having been deprecated by RFC 8429, and is thus disabled
by default
After this patch is applied, SunRPC support can be built with
Kerberos 5 support but without CRYPTO_DES enabled in the kernel.
And, when these enctypes are disabled, the Linux kernel's SunRPC
RPCSEC GSS implementation fully complies with BCP 179 / RFC 6649
and BCP 218 / RFC 8429.
Tested-by: Scott Mayhew <smayhew@xxxxxxxxxx>
Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
Thanks for your patch, which is now commit dfe9a123451a6e73 ("SUNRPC:
Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES") in v6.3-rc1.
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -19,10 +19,10 @@ config SUNRPC_SWAP
config RPCSEC_GSS_KRB5
tristate "Secure RPC: Kerberos V mechanism"
depends on SUNRPC && CRYPTO
- depends on CRYPTO_MD5 && CRYPTO_DES && CRYPTO_CBC && CRYPTO_CTS
- depends on CRYPTO_ECB && CRYPTO_HMAC && CRYPTO_SHA1 && CRYPTO_AES
default y
select SUNRPC_GSS
+ select CRYPTO_SKCIPHER
+ select CRYPTO_HASH
help
Choose Y here to enable Secure RPC using the Kerberos version 5
GSS-API mechanism (RFC 1964).
While updating my defconfigs for v6.3-rc1, I noticed this change has an
interesting side-effect: if any of the CRYPTO_* algorithms were modular
before, RPCSEC_GSS_KRB5 was modular, too.
After this change, RPCSEC_GSS_KRB5 is promoted to builtin.
This is not necessarily bad in-se, but you might want to be aware of it,
and perhaps change the "default y".
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
