[Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
Alexander Bokovoy
abokovoy at redhat.com
Wed Jan 13 14:06:50 UTC 2016
On Mon, 23 Nov 2015, Simo Sorce wrote:
>Note, this does not touch the trust code because apparently we use only
>arcfour there.
>
>CCing Alexander to give me a comment about that, probably worth opening
>a ticket specific to trusts.
>
>Otherwise addresses #4740
>
>Simo.
>
>--
>Simo Sorce * Red Hat, Inc * New York
>From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001
>From: Simo Sorce <simo at redhat.com>
>Date: Mon, 23 Nov 2015 13:40:42 -0500
>Subject: [PATCH] Use only AES enctypes by default
>
>Remove des3 and arcfour from the defaults for new installs.
>
>NOTE: the ipasam/dcerpc code sill uses arcfour
>
>Signed-off-by: Simo Sorce <simo at redhat.com>
>
>Ticket: https://fedorahosted.org/freeipa/ticket/4740
>---
> daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++-----------
> install/share/kerberos.ldif | 2 --
> 2 files changed, 3 insertions(+), 13 deletions(-)
>
>diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
>index 1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d 100644
>--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
>+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
>@@ -55,18 +55,10 @@ extern const char *ipa_realm_dn;
> extern const char *ipa_etc_config_dn;
> extern const char *ipa_pwd_config_dn;
>
>-/* These are the default enc:salt types if nothing is defined.
>- * TODO: retrieve the configure set of ecntypes either from the
>- * kfc.conf file or by synchronizing the file content into
>- * the directory */
>+/* These are the default enc:salt types if nothing is defined in LDAP */
> static const char *ipapwd_def_encsalts[] = {
>- "des3-hmac-sha1:normal",
>-/* "arcfour-hmac:normal",
>- "des-hmac-sha1:normal",
>- "des-cbc-md5:normal", */
>- "des-cbc-crc:normal",
>-/* "des-cbc-crc:v4",
>- "des-cbc-crc:afs3", */
>+ "aes256-cts:special",
>+ "aes128-cts:special",
> NULL
> };
>
>diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
>index 41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d 100644
>--- a/install/share/kerberos.ldif
>+++ b/install/share/kerberos.ldif
>@@ -30,8 +30,6 @@ krbMaxTicketLife: 86400
> krbMaxRenewableAge: 604800
> krbDefaultEncSaltTypes: aes256-cts:special
> krbDefaultEncSaltTypes: aes128-cts:special
>-krbDefaultEncSaltTypes: des3-hmac-sha1:special
>-krbDefaultEncSaltTypes: arcfour-hmac:special
>
> # Default password Policy
> dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
>--
>2.5.0
>
ACK.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list