Re: Bug#629276: NFS needs same dispensation to use DES as AFS
What should I do with this bug?
I did build a version for unstable, but I am not convinced this change
is needed for unstable.
I am doubtful it will get accepted in stable, because it isn't fixing
a grave bug.
I am not sure it is appropriate for backports, because the change
isn't in unstable.
On 5 June 2011 19:25, Sergio Gelato <Sergio.Gelato@astro.su.se> wrote:
> Package: heimdal-kdc
> Version: 1.4.0~git20100726.dfsg.1-1
> Tags: patch
> Recent Heimdal KDC disables DES encryption types on the (valid) grounds that
> they are too weak. An exception is made where the service principal is "afs"
> since the work to upgrade AFS to support stronger crypto is still very much
> in progress.
> Unfortunately, Kerberized NFS has a similar problem. Support for stronger
> enctypes didn't make it into the Linux kernel until 2.6.35 (post-squeeze).
> Until all NFS servers and clients have been upgraded to support stronger
> enctypes, a site will want to enable DES enctypes for "nfs" service
> principals. Here is a patch that does just that; I've successfully tested
> it. I think it would be highly desirable to have this in squeeze; more
> so, in fact, than in later releases since the need for DES support with
> NFS service principals ought to decrease with time.
> Without this patch, the KDC rejects AS requests that specify DES enctypes
> with "krb5_crypto_init failed: encryption type (1|2|3) not supported"
> (illustrating another oddity, namely that krb5_crypto_init() uses the
> same error message whether the enctype is unknown or known but disabled;
> krb5_enctype_valid() has two distinct error messages) and TGS requests
> result in "Server (nfs/f.q.d.n) has no support for etypes" (also in the
> KDC's log). The client did have [libdefaults]allow_weak_crypto=true, as
> shown by the fact that the AS and TGS requests asked for a DES enctype.
Brian May <firstname.lastname@example.org>