From a6030f5f53e077a0443605fba23ef104c797f168 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 14 Mar 2022 13:23:04 +0200 Subject: [PATCH] Kerberos instance: default to AES256-SHA2 for master key encryption KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from the template in install/share/kdc.conf.template. Master key encryption type specified there is used to bootstrap the master key in LDAP database. Once it is done, actual deployment does not rely on the master_key_type value anymore. The actual master key(s) get loaded from LDAP database where they stored in a BER-encoded format, preserving all parameters, including encryption type. This means we can safely migrate to AES256-SHA2 as the default master key encryption type for new installations. Replicas will get their master key encryption type details from the server they were provisioned from. MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is the earliest supported version as it provides krb5 1.15.1. Current supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this change does not affect old releases. Migration from the previously deployed master key encryption type is described by MIT Kerberos upstream in http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key One would need to use '-x ipa-setup-override-restrictions' to allow the `kdb5_util` utility to modify the data over IPA KDB driver. Fixes: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy Reviewed-By: Francisco Trivino --- ipaserver/install/krbinstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 01b3309d5..a5eaa7b17 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -51,7 +51,7 @@ logger = logging.getLogger(__name__) PKINIT_ENABLED = 'pkinitEnabled' -MASTER_KEY_TYPE = 'aes256-sha1' +MASTER_KEY_TYPE = 'aes256-sha2' SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special', 'aes256-sha2:normal', 'aes128-sha2:normal', 'aes256-cts:special', 'aes128-cts:special',