** Changed in: krb5 (Ubuntu Jammy)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697
Title:
KDC: weak crypto
A helpful hwoto for users who want to update the weak KDC master key with
state-of-the-art crypto:
https://docs.oracle.com/cd/E36784_01/html/E37126/st-mkey-1.html
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu
** Bug watch added: Debian Bug tracker #1009927
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927
** Also affects: krb5 (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927
Importance: Unknown
Status: Unknown
** Changed in: krb5 (Ubuntu)
Status: Ne
Here is a collection of guides from upstream MIT kerberos:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/enctypes.html#migrating-
away-from-older-encryption-types
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in U
This was fixed in debian and is currently in kinetic-proposed:
https://launchpad.net/ubuntu/+source/krb5/1.20-1
I'm unsure how to approach this from an SRU perspective, given it's a
configuration setting in the default config file that is ship:
--- a/debian/kdc.conf
+++ b/debian/kdc.conf
@@ -10,
Actually, looks like it could be simple, as in, do nothing out of the ordinary.
The config file is not shipped as /etc/krb5kdc/kdc.conf:
db_get krb5-kdc/debconf
DEBCONF="$RET"
if [ ! -f /etc/krb5kdc/kdc.conf ] && [ $DEBCONF = "true" ] ; then
sed -e "s/@MYREALM/$KRB5LD_DEFAULT_
Oh, so it only copies the file over on new installs, that makes sense,
and could be easily changed in stable releases.
I have no big preference, but perhaps it would be good to have it SRUed
to 22.04.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
** Changed in: krb5 (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697
Title:
KDC: weak crypto in default settings
Status
** Tags added: bitesize server-todo
** Also affects: krb5 (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: krb5 (Ubuntu Jammy)
Status: New => Triaged
** Changed in: krb5 (Ubuntu)
Importance: Undecided => Medium
** Changed in: krb5 (Ubuntu Jammy)
Importance:
This was fixed in Kinetic with
https://launchpad.net/ubuntu/+source/krb5/1.20-1
krb5 (1.20-1) unstable; urgency=medium
* New Upstream Version
* Do not specify master key type to avoid weak crypto, Closes: #1009927
-- Sam Hartman Fri, 22 Jul 2022 16:32:38 -0600
** Also affects: krb5 (Ubun
** Changed in: krb5 (Ubuntu Jammy)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697
Title:
KDC: weak crypto in default settings
S
** Description changed:
+ [ Impact ]
+
+ The default crypto algorithm suite selected for the master key in the
+ ubuntu krb5-kdc package is 3des-sha1. This comes from a config file
+ shipped with the packaging which overrides upstream's default choice.
+
+ Users who deploy a KDC using this packa
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/krb5/+git/krb5/+merge/440427
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697
Title:
Hello Thomas, or anyone else affected,
Accepted krb5 into jammy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.2
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.
# Jammy verification
a) Upgrade test does not change algorithm
With the release packages installed:
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.19.2-2ubuntu0.1
Candidate: 1.19.2-2ubuntu0.1
Version table:
*** 1.19.2-2ubuntu0.1 500
500 http://br.archive.ubuntu.com/ubuntu jammy
# Jammy verification (continuation)
b) Fresh install of proposed packages
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.19.2-2ubuntu0.2
Candidate: 1.19.2-2ubuntu0.2
Version table:
*** 1.19.2-2ubuntu0.2 500
500 http://br.archive.ubuntu.com/ubuntu jammy-proposed/universe amd64
P
This bug was fixed in the package krb5 - 1.19.2-2ubuntu0.2
---
krb5 (1.19.2-2ubuntu0.2) jammy; urgency=medium
* d/kdc.conf: Do not specify master key type to avoid weak crypto for
new realms. Existing realms will not be changed. (LP: #1981697)
-- Andreas Hasenack Thu, 06 Apr
> "Marc" == Marc Deslauriers <1981...@bugs.launchpad.net> writes:
Marc> Oh, so it only copies the file over on new installs, that
Marc> makes sense, and could be easily changed in stable releases.
It's actually even less likely to cause problems than it might appear.
That config value
25 matches
Mail list logo
