> On Nov 30, 2018, at 4:19 PM, Anna Schumaker <schumaker.anna@xxxxxxxxx> wrote: > > Hi Chuck, > > On Mon, 2018-11-26 at 15:07 -0500, Chuck Lever wrote: >> Kerberos v1 allows the selection of encryption types that are known >> to be insecure and are no longer widely deployed. Also there is no >> convenient facility for testing v1 or these enctypes, so essentially >> this code has been untested for some time. >> >> Note that RFC 6649 deprecates DES and Arcfour_56 in Kerberos, and >> RFC 8429 (October 2018) deprecates DES3 and Arcfour. >> >> Support for DES_CBC_RAW, DES_CBC_CRC, DES_CBC_MD4, DES_CBC_MD5, >> DES3_CBC_RAW, and ARCFOUR_HMAC encryption in the Linux kernel >> RPCSEC_GSS implementation is removed by this patch. > > I guess my biggest question is if any servers in the wild might still be using > Kerberos v1 encryption that we need to worry about? What we want to do here is remove encryption types that the upstream community can no longer support, and that the IETF says are insecure and thus should not be used (even if we could support them). IMO this is not a matter of continuing to support old servers: they need to update. > And does the rpc.gssd daemon need to be updated as well? If the kernel doesn't ask for these encryption types, gssd won't use them. It might do with some clean up, though, but I haven't looked closely at it. -- Chuck Lever
