freeipa

Clone
Source Code
GIT

a43100b Don't configure disabled krb5 enctypes in FIPS mode

2 files Authored by rcritten 4 years ago, Committed by abbra 4 years ago,
raw patch tree parent
2 files changed. 10 lines added. 9 lines removed.
install/share/kerberos.ldif
file modified
+8 -8
ipaserver/install/krbinstance.py
file modified
+2 -1 
    Don't configure disabled krb5 enctypes in FIPS mode
    
    The only permitted ciphers are the AES family (called aes, which
    is the combination of: aes256-cts-hmac-sha1-96,
    aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
    aes128-cts-hmac-sha256-128).
    
    DES, RC4, and Camellia are not permitted in FIPS mode.  While 3DES
    is permitted, the KDF used for it in krb5 is not, and Microsoft
    doesn't implement 3DES anyway.
    
    This is only applied on new installations because we don't
    allow converting a non-FIPS install into a FIPS one.
    
    Reviewed-By: Robbie Harwood <rharwood@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
file modified
+8 -8
file modified
+2 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.