IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't configure disabled krb5 enctypes in FIPS mode

Browse Source 
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).

DES, RC4, and Camellia are not permitted in FIPS mode.  While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.

This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Rob Crittenden 2019-07-01 13:33:39 -04:00 committed by Alexander Bokovoy
parent b57c818fab
commit a43100badc
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
install/share/kerberos.ldif
View File

@ -18,14 +18,14 @@ krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes256-cts:special
krbSupportedEncSaltTypes: aes128-cts:normal krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: aes128-cts:special
krbSupportedEncSaltTypes: des3-hmac-sha1:normal ${FIPS}krbSupportedEncSaltTypes: des3-hmac-sha1:normal
krbSupportedEncSaltTypes: des3-hmac-sha1:special ${FIPS}krbSupportedEncSaltTypes: des3-hmac-sha1:special
krbSupportedEncSaltTypes: arcfour-hmac:normal ${FIPS}krbSupportedEncSaltTypes: arcfour-hmac:normal
krbSupportedEncSaltTypes: arcfour-hmac:special ${FIPS}krbSupportedEncSaltTypes: arcfour-hmac:special
krbSupportedEncSaltTypes: camellia128-cts-cmac:normal ${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
krbSupportedEncSaltTypes: camellia128-cts-cmac:special ${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:special
krbSupportedEncSaltTypes: camellia256-cts-cmac:normal ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
krbSupportedEncSaltTypes: camellia256-cts-cmac:special ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
krbMaxTicketLife: 86400 krbMaxTicketLife: 86400
krbMaxRenewableAge: 604800 krbMaxRenewableAge: 604800
krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes256-cts:special

3
ipaserver/install/krbinstance.py
View File

@ -273,7 +273,8 @@ class KrbInstance(service.Service):
CACERT_PEM=paths.CACERT_PEM, CACERT_PEM=paths.CACERT_PEM,
KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM, KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM, CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
INCLUDES=includes) INCLUDES=includes,
FIPS='#' if tasks.is_fips_enabled() else '')
# IPA server/KDC is not a subdomain of default domain # IPA server/KDC is not a subdomain of default domain
# Proper domain-realm mapping needs to be specified # Proper domain-realm mapping needs to be specified