This bug was fixed in the package krb5 - 1.19.2-2ubuntu0.2
---
krb5 (1.19.2-2ubuntu0.2) jammy; urgency=medium
* d/kdc.conf: Do not specify master key type to avoid weak crypto for
new realms. Existing realms will not be changed. (LP: #1981697)
-- Andreas Hasenack Thu, 06 Apr
# Jammy verification (continuation)
b) Fresh install of proposed packages
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.19.2-2ubuntu0.2
Candidate: 1.19.2-2ubuntu0.2
Version table:
*** 1.19.2-2ubuntu0.2 500
500 http://br.archive.ubuntu.com/ubuntu jammy-proposed/universe amd64
P
# Jammy verification
a) Upgrade test does not change algorithm
With the release packages installed:
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.19.2-2ubuntu0.1
Candidate: 1.19.2-2ubuntu0.1
Version table:
*** 1.19.2-2ubuntu0.1 500
500 http://br.archive.ubuntu.com/ubuntu jammy
Hello Thomas, or anyone else affected,
Accepted krb5 into jammy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.2
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/krb5/+git/krb5/+merge/440427
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697
Title:
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
[ Impact ]
The default crypto algorithm suite selected for the master key in the
ubuntu krb5-kdc package is des3-hmac-sha1. This comes from a config file
shipped with the packaging which overrides upstream's default choice.
Users who deploy a KDC using this
** Description changed:
+ [ Impact ]
+
+ The default crypto algorithm suite selected for the master key in the
+ ubuntu krb5-kdc package is 3des-sha1. This comes from a config file
+ shipped with the packaging which overrides upstream's default choice.
+
+ Users who deploy a KDC using this packa
** Changed in: krb5 (Ubuntu Jammy)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697
Title:
KDC: weak crypto in default settings
S
** Changed in: krb5 (Ubuntu Jammy)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697
Title:
KDC: weak crypto
This was fixed in Kinetic with
https://launchpad.net/ubuntu/+source/krb5/1.20-1
krb5 (1.20-1) unstable; urgency=medium
* New Upstream Version
* Do not specify master key type to avoid weak crypto, Closes: #1009927
-- Sam Hartman Fri, 22 Jul 2022 16:32:38 -0600
** Also affects: krb5 (Ubun
** Tags added: bitesize server-todo
** Also affects: krb5 (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: krb5 (Ubuntu Jammy)
Status: New => Triaged
** Changed in: krb5 (Ubuntu)
Importance: Undecided => Medium
** Changed in: krb5 (Ubuntu Jammy)
Importance:
** Changed in: krb5 (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697
Title:
KDC: weak crypto in default settings
Status
> "Marc" == Marc Deslauriers <1981...@bugs.launchpad.net> writes:
Marc> Oh, so it only copies the file over on new installs, that
Marc> makes sense, and could be easily changed in stable releases.
It's actually even less likely to cause problems than it might appear.
That config value
Oh, so it only copies the file over on new installs, that makes sense,
and could be easily changed in stable releases.
I have no big preference, but perhaps it would be good to have it SRUed
to 22.04.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
Actually, looks like it could be simple, as in, do nothing out of the ordinary.
The config file is not shipped as /etc/krb5kdc/kdc.conf:
db_get krb5-kdc/debconf
DEBCONF="$RET"
if [ ! -f /etc/krb5kdc/kdc.conf ] && [ $DEBCONF = "true" ] ; then
sed -e "s/@MYREALM/$KRB5LD_DEFAULT_
This was fixed in debian and is currently in kinetic-proposed:
https://launchpad.net/ubuntu/+source/krb5/1.20-1
I'm unsure how to approach this from an SRU perspective, given it's a
configuration setting in the default config file that is ship:
--- a/debian/kdc.conf
+++ b/debian/kdc.conf
@@ -10,
Here is a collection of guides from upstream MIT kerberos:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/enctypes.html#migrating-
away-from-older-encryption-types
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in U
** Bug watch added: Debian Bug tracker #1009927
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927
** Also affects: krb5 (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927
Importance: Unknown
Status: Unknown
** Changed in: krb5 (Ubuntu)
Status: Ne
A helpful hwoto for users who want to update the weak KDC master key with
state-of-the-art crypto:
https://docs.oracle.com/cd/E36784_01/html/E37126/st-mkey-1.html
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu
25 matches
Mail list logo
