Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
krb5 (Debian) |
Fix Released
|
Unknown
|
|||
krb5 (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
When provisioning a new realm, this warning is logged in /var/log/syslog:
==> /var/log/syslog <==
Apr 20 20:43:16 kdc systemd[1]: Starting Kerberos 5 Key Distribution Center...
Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1!
This comes from "master_key_type" in the default kdc.conf shipped in krb5-kdc:
$ cat /usr/share/
[kdcdefaults]
kdc_ports = 750,88
[realms]
@MYREALM = {
acl_file = /etc/krb5kdc/
kdc_ports = 750,88
max_life = 10h 0m 0s
}
The kdc.conf manpage says that the current default is "aes256-
kdc.conf in the documentation at https:/
Changing encryption defaults should be done carefully, even when suggested by upstream. I filed bugs.debian.
Changed in krb5 (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in krb5 (Debian): | |
status: | Unknown → New |
Changed in krb5 (Debian): | |
status: | New → Fix Released |