Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1877991

Summary: Prominently document deprecation of single- and triple-DES
Product: Red Hat Enterprise Linux 8 Reporter: Josip Vilicic <jvilicic>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED CURRENTRELEASE QA Contact: Filip Dvorak <fdvorak>
Severity: unspecified Docs Contact: Josip Vilicic <jvilicic>
Priority: unspecified    
Version: 8.3CC: dpal, fdvorak, lmanasko, mpershin, rharwood
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Deprecated Functionality
Doc Text:
.DES and 3DES encryption types have been removed Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) and triple-DES (3DES) encryption types have been removed from RHEL 8. If you have configured services or users to only use DES or 3DES encryption, you might experience service interruptions such as: * Kerberos authentication errors * `unknown enctype` encryption errors * Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (`K/M`) fail to start Perform the following actions to prepare for the upgrade: . Check if your KDC uses DES or 3DES encryption with the `krb5check` open source Python scripts. See link:https://github.com/frozencemetery/krb5check[krb5check] on GitHub. . If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a supported encryption type, such as Advanced Encryption Standard (AES). For instructions on re-keying, see link:https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html[Retiring DES] from MIT Kerberos Documentation. . Test independence from DES and 3DES by temporarily setting the following Kerberos options before upgrading: .. In `/var/kerberos/krb5kdc/kdc.conf` on the KDC, set `supported_enctypes` and do not include `des` or `des3`. .. For every host, in `/etc/krb5.conf` and any files in `/etc/krb5.conf.d`, set `allow_weak_crypto` to `false`. It is false by default. .. For every host, in `/etc/krb5.conf` and any files in `/etc/krb5.conf.d`, set `permitted_enctypes`, `default_tgs_enctypes`, and `default_tkt_enctypes`, and do not include `des` or `des3`. . If you do not experience any service interruptions with the test Kerberos settings from the previous step, remove them and upgrade. You do not need those settings after upgrading to the latest Kerberos packages.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-08 18:45:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josip Vilicic 2020-09-11 02:09:09 UTC 
Description of problem:

Since there may be a large customer impact, we want to prominently document that single- and triple-DES have been deprecated in RHEL 8.3

--------------------------------------------

Additional info:

DES deprecation was first mentioned in the Release Note for this BZ:
   "Bug 1802334 - [Rebase] krb5: rebase to 1.18 "
   https://bugzilla.redhat.com/show_bug.cgi?id=1802334

   The `krb5` packages have been upgraded to upstream version 1.18.2. Notable fixes and enhancements include: 

   * Single- and triple-DES encryption types have been removed.