FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

LinkBack Thread Tools
Old 06-07-2011, 03:29 AM
Brian May
Default Bug#629276: NFS needs same dispensation to use DES as AFS

Hello debian-devel,

What should I do with this bug?

I did build a version for unstable, but I am not convinced this change
is needed for unstable.

I am doubtful it will get accepted in stable, because it isn't fixing
a grave bug.

I am not sure it is appropriate for backports, because the change
isn't in unstable.


On 5 June 2011 19:25, Sergio Gelato <Sergio.Gelato@astro.su.se> wrote:
> Package: heimdal-kdc
> Version: 1.4.0~git20100726.dfsg.1-1
> Tags: patch
> Recent Heimdal KDC disables DES encryption types on the (valid) grounds that
> they are too weak. An exception is made where the service principal is "afs"
> since the work to upgrade AFS to support stronger crypto is still very much
> in progress.
> Unfortunately, Kerberized NFS has a similar problem. Support for stronger
> enctypes didn't make it into the Linux kernel until 2.6.35 (post-squeeze).
> Until all NFS servers and clients have been upgraded to support stronger
> enctypes, a site will want to enable DES enctypes for "nfs" service
> principals. Here is a patch that does just that; I've successfully tested
> it. I think it would be highly desirable to have this in squeeze; more
> so, in fact, than in later releases since the need for DES support with
> NFS service principals ought to decrease with time.
> Without this patch, the KDC rejects AS requests that specify DES enctypes
> with "krb5_crypto_init failed: encryption type (1|2|3) not supported"
> (illustrating another oddity, namely that krb5_crypto_init() uses the
> same error message whether the enctype is unknown or known but disabled;
> krb5_enctype_valid() has two distinct error messages) and TGS requests
> result in "Server (nfs/f.q.d.n) has no support for etypes" (also in the
> KDC's log). The client did have [libdefaults]allow_weak_crypto=true, as
> shown by the fact that the AS and TGS requests asked for a DES enctype.
Brian May <brian@microcomaustralia.com.au>

To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTiky1OyT+Az4ZBF3iHYyanFa-O6oEw@mail.gmail.com">http://lists.debian.org/BANLkTiky1OyT+Az4ZBF3iHYyanFa-O6oEw@mail.gmail.com

Thread Tools

All times are GMT. The time now is 01:27 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org