I'm pretty sure that changing the master key encryption type used for new databases has basically no upgrade considerations and could be "just done". Updating the encryption type for that key on existing databases will have nontrivial upgrade considerations (and in fact will not be possible to do automatically in a maintainer script in all cases).
It is even possible that we might drop that configuration stanza entirely rather than just changing the encryption type, though we would want to more thoroughly research the consequences of doing so before actually making that change. Thanks for the report, this is definitely something we should be taking action on. -Ben On Wed, Apr 20, 2022 at 05:51:45PM -0300, Andreas Hasenack wrote: > Package: krb5 > Version: 1.19.2-2 > Severity: normal > > Dear Maintainer, > > when creating a new realm using `krb5_newrealm`, the following warning > is logged in /var/log/syslog: > > Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses > DEPRECATED enctype des3-cbc-sha1! > > This comes from the kdc.conf template in > /usr/share/krb5-kdc/kdc.conf.template which has "master_key_type = > des3-hmac-sha1". > > Maybe it's time to update that encryption type? The kdc.conf manpage > says that the current default is "aes256-cts-hmac-sha1-96". The sample > kdc.conf in the documentation at > https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf > suggests just "master_key_type = aes256-cts". > > I understand there may be important upgrade path considerations. Given > all the care and precautions that are shown for migrating away from > single DES in > https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html, > changing the default master key type for fresh installs might also > require careful planning and thought, but at some point this process > must start. And upstream is now flagging DES3 as deprecated already. >
