[Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
Martin Basti
mbasti at redhat.com
Wed Jan 13 14:25:51 UTC 2016
On 13.01.2016 15:06, Alexander Bokovoy wrote:
> On Mon, 23 Nov 2015, Simo Sorce wrote:
>> Note, this does not touch the trust code because apparently we use only
>> arcfour there.
>>
>> CCing Alexander to give me a comment about that, probably worth opening
>> a ticket specific to trusts.
>>
>> Otherwise addresses #4740
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>
>> From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001
>> From: Simo Sorce <simo at redhat.com>
>> Date: Mon, 23 Nov 2015 13:40:42 -0500
>> Subject: [PATCH] Use only AES enctypes by default
>>
>> Remove des3 and arcfour from the defaults for new installs.
>>
>> NOTE: the ipasam/dcerpc code sill uses arcfour
>>
>> Signed-off-by: Simo Sorce <simo at redhat.com>
>>
>> Ticket: https://fedorahosted.org/freeipa/ticket/4740
>> ---
>> daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++-----------
>> install/share/kerberos.ldif | 2 --
>> 2 files changed, 3 insertions(+), 13 deletions(-)
>>
>> diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
>> b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
>> index
>> 1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d
>> 100644
>> --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
>> +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
>> @@ -55,18 +55,10 @@ extern const char *ipa_realm_dn;
>> extern const char *ipa_etc_config_dn;
>> extern const char *ipa_pwd_config_dn;
>>
>> -/* These are the default enc:salt types if nothing is defined.
>> - * TODO: retrieve the configure set of ecntypes either from the
>> - * kfc.conf file or by synchronizing the file content into
>> - * the directory */
>> +/* These are the default enc:salt types if nothing is defined in
>> LDAP */
>> static const char *ipapwd_def_encsalts[] = {
>> - "des3-hmac-sha1:normal",
>> -/* "arcfour-hmac:normal",
>> - "des-hmac-sha1:normal",
>> - "des-cbc-md5:normal", */
>> - "des-cbc-crc:normal",
>> -/* "des-cbc-crc:v4",
>> - "des-cbc-crc:afs3", */
>> + "aes256-cts:special",
>> + "aes128-cts:special",
>> NULL
>> };
>>
>> diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
>> index
>> 41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d
>> 100644
>> --- a/install/share/kerberos.ldif
>> +++ b/install/share/kerberos.ldif
>> @@ -30,8 +30,6 @@ krbMaxTicketLife: 86400
>> krbMaxRenewableAge: 604800
>> krbDefaultEncSaltTypes: aes256-cts:special
>> krbDefaultEncSaltTypes: aes128-cts:special
>> -krbDefaultEncSaltTypes: des3-hmac-sha1:special
>> -krbDefaultEncSaltTypes: arcfour-hmac:special
>>
>> # Default password Policy
>> dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
>> --
>> 2.5.0
>>
> ACK.
>
Pushed to:
master: 58ab032f1ae20454d4b9d760c7601fd8b44045f5
ipa-4-3: bad5b0247984635fe402283aee259f35a048df6b
More information about the Freeipa-devel
mailing list