Don't configure disabled krb5 enctypes in FIPS mode

The only permitted ciphers are the AES family (called aes, which is the combination of: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128). DES, RC4, and Camellia are not permitted in FIPS mode. While 3DES is permitted, the KDF used for it in krb5 is not, and Microsoft doesn't implement 3DES anyway. This is only applied on new installations because we don't allow converting a non-FIPS install into a FIPS one. Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-07-01 13:33:39 -04:00
parent b57c818fab
commit a43100badc
2 changed files with 10 additions and 9 deletions
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -273,7 +273,8 @@ class KrbInstance(service.Service):
                             CACERT_PEM=paths.CACERT_PEM,
                             KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
                             CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
-                             INCLUDES=includes)
+                             INCLUDES=includes,
+                             FIPS='#' if tasks.is_fips_enabled() else '')

        # IPA server/KDC is not a subdomain of default domain
        # Proper domain-realm mapping needs to be specified