freeipa

Clone
Source Code
GIT

#9119 KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
Closed: fixed a year ago by abbra. Opened a year ago by abbra.

Closed: fixed
Reopen Issue

RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.

Due to bootstrapping process, force explicitly supported encryption types in kdc.conf or we may end up with AES128-CTS and AES256-CTS only in FIPS mode at bootstrap time which then fails to initialize kadmin principals requiring use of AES256-SHA2 and AES128-SHA2.

Camellia ciphers must be filtered out in FIPS mode, we do that already in the kerberos.ldif but if supported_enctypes is to be set explicitly, they need to be removed here as well.

PR: https://github.com/freeipa/freeipa/pull/6197

Note that switching master key to aes256-sha2 is not possible as we don't know in case of a replica what would be a master key encryption type on the master before creating the configuration files.

A process to upgrade master key encryption type is described at http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html (replace DES by any other encryption type) and is multi-step and non-trivial. We would need to make it easier before attempting to switch to the aes256-sha2 directly.

master:

  • d38dd26 KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
  • 2eee593 tests: ensure AD-SUPPORT subpolicy is active
  • 985dffe ipatests: extend AES keyset to SHA2-based ones
  • 7d25eea freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream

ipa-4-9:

  • a519008 KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
  • b016683 tests: ensure AD-SUPPORT subpolicy is active
  • 49d9147 ipatests: extend AES keyset to SHA2-based ones
  • ee39de4 freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
a year ago

Metadata Update from @frenaud:
- Issue status updated to: Open (was: Closed)
a year ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2057471
a year ago

master:

  • a6030f5 Kerberos instance: default to AES256-SHA2 for master key encryption
  • 621af27 test_otp: do not use paramiko unless it is really needed
  • 517ae59 test_krbtpolicy: skip SPAKE-related tests in FIPS mode

ipa-4-9:

  • 3e54c43 Kerberos instance: default to AES256-SHA2 for master key encryption
  • 3baae8d test_otp: do not use paramiko unless it is really needed
  • 2e70535 test_krbtpolicy: skip SPAKE-related tests in FIPS mode

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
a year ago

master:

  • 5a42ab1 tests: ensure AD-SUPPORT subpolicy is active in more cases

ipa-4-9:

  • 0948111 tests: ensure AD-SUPPORT subpolicy is active in more cases

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=2057471
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.