|
 |
1079a7 |
From 3e54c4362490b4da1b6cb3e141bb6e08fecc58c0 Mon Sep 17 00:00:00 2001
|
|
|
1079a7 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
1079a7 |
Date: Mon, 14 Mar 2022 13:23:04 +0200
|
|
|
1079a7 |
Subject: [PATCH] Kerberos instance: default to AES256-SHA2 for master key
|
|
|
1079a7 |
encryption
|
|
|
1079a7 |
|
|
|
1079a7 |
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from
|
|
|
1079a7 |
the template in install/share/kdc.conf.template. Master key encryption
|
|
|
1079a7 |
type specified there is used to bootstrap the master key in LDAP
|
|
|
1079a7 |
database. Once it is done, actual deployment does not rely on the
|
|
|
1079a7 |
master_key_type value anymore. The actual master key(s) get loaded from
|
|
|
1079a7 |
LDAP database where they stored in a BER-encoded format, preserving all
|
|
|
1079a7 |
parameters, including encryption type.
|
|
|
1079a7 |
|
|
|
1079a7 |
This means we can safely migrate to AES256-SHA2 as the default master
|
|
|
1079a7 |
key encryption type for new installations. Replicas will get their
|
|
|
1079a7 |
master key encryption type details from the server they were provisioned
|
|
|
1079a7 |
from.
|
|
|
1079a7 |
|
|
|
1079a7 |
MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is
|
|
|
1079a7 |
the earliest supported version as it provides krb5 1.15.1. Current
|
|
|
1079a7 |
supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be
|
|
|
1079a7 |
used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this
|
|
|
1079a7 |
change does not affect old releases.
|
|
|
1079a7 |
|
|
|
1079a7 |
Migration from the previously deployed master key encryption type is
|
|
|
1079a7 |
described by MIT Kerberos upstream in
|
|
|
1079a7 |
http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key
|
|
|
1079a7 |
|
|
|
1079a7 |
One would need to use '-x ipa-setup-override-restrictions' to allow
|
|
|
1079a7 |
the `kdb5_util` utility to modify the data over IPA KDB driver.
|
|
|
1079a7 |
|
|
|
1079a7 |
Fixes: https://pagure.io/freeipa/issue/9119
|
|
|
1079a7 |
|
|
|
1079a7 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
1079a7 |
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
|
1079a7 |
---
|
|
|
1079a7 |
ipaserver/install/krbinstance.py | 2 +-
|
|
|
1079a7 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
1079a7 |
|
|
|
1079a7 |
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
|
1079a7 |
index 01b3309d50c0e8025e3381eac577225b1ef0be9d..a5eaa7b17133498f08e84d01c90764236e8ebe84 100644
|
|
|
1079a7 |
--- a/ipaserver/install/krbinstance.py
|
|
|
1079a7 |
+++ b/ipaserver/install/krbinstance.py
|
|
|
1079a7 |
@@ -51,7 +51,7 @@ logger = logging.getLogger(__name__)
|
|
|
1079a7 |
|
|
|
1079a7 |
PKINIT_ENABLED = 'pkinitEnabled'
|
|
|
1079a7 |
|
|
|
1079a7 |
-MASTER_KEY_TYPE = 'aes256-sha1'
|
|
|
1079a7 |
+MASTER_KEY_TYPE = 'aes256-sha2'
|
|
|
1079a7 |
SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
|
|
|
1079a7 |
'aes256-sha2:normal', 'aes128-sha2:normal',
|
|
|
1079a7 |
'aes256-cts:special', 'aes128-cts:special',
|
|
|
1079a7 |
--
|
|
|
1079a7 |
2.34.1
|
|
|
1079a7 |
|