Re: Bug#629276: NFS needs same dispensation to use DES as AFS
* Brian May [2011-06-07 13:29:33 +1000]:
> Hello debian-devel,
> What should I do with this bug?
> I did build a version for unstable, but I am not convinced this change
> is needed for unstable.
Let me argue that it is still needed for the next Debian release. When
that comes out, squeeze will remain supported for another 12 months, and
any KDC serving an environment where Kerberized NFS is used on squeeze
hosts will need something like this. And that's even without considering
support for other distributions or operating systems, which may have
their own, possibly glacial paces for migrating to strong crypto.
The patch does not prevent the use of stronger enctypes, it just enables
the use of DES if requested (and if the service principal has a DES
enctype in the KDC database; one can always use del_enctype if need be).
> I am doubtful it will get accepted in stable, because it isn't fixing
> a grave bug.
> I am not sure it is appropriate for backports, because the change
> isn't in unstable.
> On 5 June 2011 19:25, Sergio Gelato <Sergio.Gelato@astro.su.se> wrote:
> > Package: heimdal-kdc
> > Version: 1.4.0~git20100726.dfsg.1-1
> > Tags: patch
> > Recent Heimdal KDC disables DES encryption types on the (valid) grounds that
> > they are too weak. An exception is made where the service principal is "afs"
> > since the work to upgrade AFS to support stronger crypto is still very much
> > in progress.
> > Unfortunately, Kerberized NFS has a similar problem. Support for stronger
> > enctypes didn't make it into the Linux kernel until 2.6.35 (post-squeeze).
> > Until all NFS servers and clients have been upgraded to support stronger
> > enctypes, a site will want to enable DES enctypes for "nfs" service
> > principals. Here is a patch that does just that; I've successfully tested
> > it. I think it would be highly desirable to have this in squeeze; more
> > so, in fact, than in later releases since the need for DES support with
> > NFS service principals ought to decrease with time.
> > Without this patch, the KDC rejects AS requests that specify DES enctypes
> > with "krb5_crypto_init failed: encryption type (1|2|3) not supported"
> > (illustrating another oddity, namely that krb5_crypto_init() uses the
> > same error message whether the enctype is unknown or known but disabled;
> > krb5_enctype_valid() has two distinct error messages) and TGS requests
> > result in "Server (nfs/f.q.d.n) has no support for etypes" (also in the
> > KDC's log). The client did have [libdefaults]allow_weak_crypto=true, as
> > shown by the fact that the AS and TGS requests asked for a DES enctype.
> Brian May <email@example.com>