PR#33: Add AES SHA-2 HMAC family as default KDC etypes - rpms/krb5

Julien Rische • a year ago

4a4fd39

kdc.conf

file modified

+4 -2

		`@@ -5,10 +5,12 @@`

		`[realms]`
		`EXAMPLE.COM = {`
		`- #master_key_type = aes256-cts`
		`+ master_key_type = aes256-cts-hmac-sha384-192`
		`acl_file = /var/kerberos/krb5kdc/kadm5.acl`
		`dict_file = /usr/share/dict/words`
		`default_principal_flags = +preauth`
		`admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab`
		`- supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal`
		`+ supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal`
		`+ # Supported encryption types for FIPS mode:`
		`+ #supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal`
		`}`

krb5.spec

file modified

+6 -1

		`@@ -10,7 +10,7 @@`
		`#`
		`# baserelease is what we have standardized across Fedora and what`
		`# rpmdev-bumpspec knows how to handle.`
		`- %global baserelease 5`
		`+ %global baserelease 6`

		`# This should be e.g. beta1 or %%nil`
		`%global pre_release %nil`
		`@@ -710,6 +710,11 @@`
		`%{_datarootdir}/%{name}-tests/`

		`%changelog`
		`+ * Wed Jan 18 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6`
		`+ - Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf`
		`+ - Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf`
		`+ - Resolves: rhbz#2114771`
		`+`
		`* Mon Jan 09 2023 Julien Rische <jrische@redhat.com> - 1.20.1-5`
		`- Strip debugging data from ksu executable file`