On Fri, Nov 30, 2018 at 4:26 PM Chuck Lever <chuck.lever@xxxxxxxxxx> wrote: > > > > > On Nov 30, 2018, at 4:19 PM, Anna Schumaker <schumaker.anna@xxxxxxxxx> wrote: > > > > Hi Chuck, > > > > On Mon, 2018-11-26 at 15:07 -0500, Chuck Lever wrote: > >> Kerberos v1 allows the selection of encryption types that are known > >> to be insecure and are no longer widely deployed. Also there is no > >> convenient facility for testing v1 or these enctypes, so essentially > >> this code has been untested for some time. > >> > >> Note that RFC 6649 deprecates DES and Arcfour_56 in Kerberos, and > >> RFC 8429 (October 2018) deprecates DES3 and Arcfour. > >> > >> Support for DES_CBC_RAW, DES_CBC_CRC, DES_CBC_MD4, DES_CBC_MD5, > >> DES3_CBC_RAW, and ARCFOUR_HMAC encryption in the Linux kernel > >> RPCSEC_GSS implementation is removed by this patch. > > > > I guess my biggest question is if any servers in the wild might still be using > > Kerberos v1 encryption that we need to worry about? > > What we want to do here is remove encryption types that the upstream > community can no longer support, and that the IETF says are insecure > and thus should not be used (even if we could support them). IMO this > is not a matter of continuing to support old servers: they need to > update. I'm not arguing for not removing it .. but.. also to consider not necessarily the server implementations but the fact that prior to Window 2008 AD there is no support for AES encryption types. > > > > And does the rpc.gssd daemon need to be updated as well? > > If the kernel doesn't ask for these encryption types, gssd won't use > them. It might do with some clean up, though, but I haven't looked > closely at it. > > > -- > Chuck Lever > > >
