freeipa

Clone
Source Code
GIT

a519008 KRB instance: make provision to work with crypto policy without SHA-1 HMAC types

3 files Authored by abbra 2 years ago, Committed by frenaud 2 years ago,
raw patch tree parent
3 files changed. 24 lines added. 2 lines removed.
install/share/kdc.conf.template
file modified
+2 -1
install/share/kerberos.ldif
file modified
+2 -0
ipaserver/install/krbinstance.py
file modified
+20 -1 
    KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
    
    RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
    
    Due to bootstrapping process, force explicitly supported encryption
    types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
    in FIPS mode at bootstrap time which then fails to initialize kadmin
    principals requiring use of AES256-SHA2 and AES128-SHA2.
    
    Camellia ciphers must be filtered out in FIPS mode, we do that already
    in the kerberos.ldif.
    
    At this point we are not changing the master key encryption type to
    AES256-SHA2 because upgrading existing deployments is complicated and
    at the time when a replica configuration is deployed, we don't know what
    is the encryption type of the master key of the original server as well.
    
    Fixes: https://pagure.io/freeipa/issue/9119
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Julien Rische <jrische@redhat.com>
    Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
file modified
+2 -1
file modified
+2 -0
file modified
+20 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.