← Back to team overview

enterprise-support team mailing list archive

[Bug 1969676] [NEW] Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1

 

Public bug reported:

When provisioning a new realm, this warning is logged in
/var/log/syslog:

==> /var/log/syslog <==                                                                                                                                                                        
Apr 20 20:43:16 kdc systemd[1]: Starting Kerberos 5 Key Distribution Center...                                                                                                                 
Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1!  

This comes from "master_key_type" in the default kdc.conf shipped in
krb5-kdc:

$ cat /usr/share/krb5-kdc/kdc.conf.template 
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    @MYREALM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        #supported_enctypes = aes256-cts:normal aes128-cts:normal
        default_principal_flags = +preauth
    }

The kdc.conf manpage says that the current default is "aes256-cts-hmac-sha1-96". The sample
kdc.conf in the documentation at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf suggests just "master_key_type = aes256-cts".

Changing encryption defaults should be done carefully, even when
suggested by upstream. I filed bugs.debian.org/1009927 in debian as
well.

** Affects: krb5 (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: krb5 (Debian)
     Importance: Unknown
         Status: Unknown

** Changed in: krb5 (Ubuntu)
       Status: New => Triaged

** Changed in: krb5 (Ubuntu)
   Importance: Undecided => Medium

** Bug watch added: Debian Bug tracker #1009927
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927

** Also affects: krb5 (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to krb5 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1969676

Title:
  Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1969676/+subscriptions



Follow ups