From 12d175e29965e854f1937db2e11c2955b837516b Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Mon, 11 Jul 2022 15:48:37 +0200 Subject: [PATCH] Add AES SHA-2 HMAC family as default KDC etypes Resolves: rhbz#2068535 Signed-off-by: Julien Rische --- kdc.conf | 6 ++++-- krb5.spec | 7 ++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/kdc.conf b/kdc.conf index 5d1571d..c504e58 100644 --- a/kdc.conf +++ b/kdc.conf @@ -5,10 +5,12 @@ [realms] EXAMPLE.COM = { - #master_key_type = aes256-cts + master_key_type = aes256-cts-hmac-sha384-192 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab - supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal + supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal + # Supported encryption types for FIPS mode: + #supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal } diff --git a/krb5.spec b/krb5.spec index fe47be3..e71f1a7 100644 --- a/krb5.spec +++ b/krb5.spec @@ -34,7 +34,7 @@ # # baserelease is what we have standardized across Fedora and what # rpmdev-bumpspec knows how to handle. -%global baserelease 3 +%global baserelease 4 # This should be e.g. beta1 or %%nil %global pre_release %nil @@ -661,6 +661,11 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Jan 12 2023 Julien Rische - 1.20.1-4 +- Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf +- Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf +- Resolves: rhbz#2068535 + * Tue Jan 10 2023 Julien Rische - 1.20.1-2 - Strip debugging data from ksu executable file - Resolves: rhbz#2159643