itongxiaojun opened a new pull request, #3926:
URL: https://github.com/apache/ambari/pull/3926
**Description:**
This PR updates the supported encryption types in the Kerberos configuration
to enhance security and align with modern encryption standards. The current
configuration includes outdated and less secure encryption types, which are
replaced with stronger and more widely supported encryption algorithms.
**Changes:**
- Modified the `kerberos-env.xml` file in the
`ambari/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/configuration/`
directory.
- Replaced the existing encryption types:
```xml
<value>aes des3-cbc-sha1 rc4 des-cbc-md5</value>
```
with:
```xml
<value>aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96</value>
```
**Reason for Change:**
- The previous encryption types (`des3-cbc-sha1`, `rc4`, and `des-cbc-md5`)
are considered weak and vulnerable to attacks.
- The new encryption types (`aes256-cts-hmac-sha1-96` and
`aes128-cts-hmac-sha1-96`) are more secure and widely supported in modern
Kerberos implementations.
**Impact:**
- This change ensures that only strong encryption types are used for
Kerberos session keys, improving overall security.
- Systems relying on older encryption types may need to update their
Kerberos configurations to remain compatible.
ambari/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/configuration/kerberos-env.xml
ambari/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/services/KERBEROS/properties/krb5_conf.j2
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
