[Bug 1969676] Re: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1
Bug Watch Updater
1969676 at bugs.launchpad.net
Wed Apr 20 22:56:04 UTC 2022
** Changed in: krb5 (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1969676
Title:
Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1
Status in krb5 package in Ubuntu:
Triaged
Status in krb5 package in Debian:
New
Bug description:
When provisioning a new realm, this warning is logged in
/var/log/syslog:
==> /var/log/syslog <==
Apr 20 20:43:16 kdc systemd[1]: Starting Kerberos 5 Key Distribution Center...
Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1!
This comes from "master_key_type" in the default kdc.conf shipped in
krb5-kdc:
$ cat /usr/share/krb5-kdc/kdc.conf.template
[kdcdefaults]
kdc_ports = 750,88
[realms]
@MYREALM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
The kdc.conf manpage says that the current default is "aes256-cts-hmac-sha1-96". The sample
kdc.conf in the documentation at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf suggests just "master_key_type = aes256-cts".
Changing encryption defaults should be done carefully, even when
suggested by upstream. I filed bugs.debian.org/1009927 in debian as
well.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1969676/+subscriptions
More information about the foundations-bugs
mailing list