[Touch-packages] [Bug 1981697] Re: KDC: weak crypto in default settings

Mon, 25 Jul 2022 05:21:34 -0700 

Actually, looks like it could be simple, as in, do nothing out of the ordinary. 
The config file is not shipped as /etc/krb5kdc/kdc.conf:
    db_get krb5-kdc/debconf
    DEBCONF="$RET"

    if [ ! -f /etc/krb5kdc/kdc.conf ] && [ $DEBCONF = "true" ] ; then
        sed -e "s/@MYREALM/$KRB5LD_DEFAULT_REALM/" \
            /usr/share/krb5-kdc/kdc.conf.template > /etc/krb5kdc/kdc.conf
    fi


A quick upgrade test in a few scenarios should suffice.

@mdeslaur, should we SRU this?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697

Title:
  KDC: weak crypto in default settings

Status in krb5 package in Ubuntu:
  Confirmed
Status in krb5 package in Debian:
  Unknown

Bug description:
  Default setting in /etc/krb5kdc/kdc.conf, as installed from krb5-kdc in 
Ubuntu 22.04 Server:
  master_key_type = des3-hmac-sha1

  3DES was deprecated by NIST in 2017, i.e. give years ago! Reference:
  https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-
  of-TDEA . This should not be a default since a very long time, and
  particularly not for new installations. If a compatibility with out-
  of-date installations is necessary, this should be explicitly made be
  the administrator.

  SHA-1 was deprecated as well, in 2011, i.e. eleven years ago!
  Reference:
  https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-131a.pdf
  .

  A reasonable default would probably be:
  master_key_type = aes256-cts-hmac-sha384-192

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: krb5-kdc 1.19.2-2
  ProcVersionSignature: Ubuntu 5.15.0-40.43-generic 5.15.35
  Uname: Linux 5.15.0-40-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.1
  Architecture: amd64
  CasperMD5CheckResult: pass
  Date: Thu Jul 14 12:34:22 2022
  InstallationDate: Installed on 2022-05-30 (45 days ago)
  InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Release amd64 
(20220421)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_IE.UTF-8
   SHELL=/bin/bash
  SourcePackage: krb5
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1981697/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to