Ubuntu
krb5 package

Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1

Bug #1969676 reported by Andreas Hasenack
This bug report is a duplicate of:  Bug #1981697: KDC: weak crypto in default settings. Edit Remove
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Debian)
Fix Released
Unknown
krb5 (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

When provisioning a new realm, this warning is logged in /var/log/syslog:

==> /var/log/syslog <==
Apr 20 20:43:16 kdc systemd[1]: Starting Kerberos 5 Key Distribution Center...
Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1!

This comes from "master_key_type" in the default kdc.conf shipped in krb5-kdc:

$ cat /usr/share/krb5-kdc/kdc.conf.template
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    @MYREALM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        #supported_enctypes = aes256-cts:normal aes128-cts:normal
        default_principal_flags = +preauth
    }

The kdc.conf manpage says that the current default is "aes256-cts-hmac-sha1-96". The sample
kdc.conf in the documentation at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf suggests just "master_key_type = aes256-cts".

Changing encryption defaults should be done carefully, even when suggested by upstream. I filed bugs.debian.org/1009927 in debian as well.

Andreas Hasenack (ahasenack)
Changed in krb5 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Bug Watch Updater (bug-watch-updater)
Changed in krb5 (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in krb5 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.