1877991 – Prominently document deprecation of single- and triple-DES

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1877991 - Prominently document deprecation of single- and triple-DES

Summary: Prominently document deprecation of single- and triple-DES

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Robbie Harwood
QA Contact:	Filip Dvorak
Docs Contact:	Josip Vilicic
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-11 02:09 UTC by Josip Vilicic
Modified:	2021-11-09 11:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Deprecated Functionality
Doc Text:	.DES and 3DES encryption types have been removed Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) and triple-DES (3DES) encryption types have been removed from RHEL 8. If you have configured services or users to only use DES or 3DES encryption, you might experience service interruptions such as: * Kerberos authentication errors * `unknown enctype` encryption errors * Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (`K/M`) fail to start Perform the following actions to prepare for the upgrade: . Check if your KDC uses DES or 3DES encryption with the `krb5check` open source Python scripts. See link:https://github.com/frozencemetery/krb5check[krb5check] on GitHub. . If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a supported encryption type, such as Advanced Encryption Standard (AES). For instructions on re-keying, see link:https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html[Retiring DES] from MIT Kerberos Documentation. . Test independence from DES and 3DES by temporarily setting the following Kerberos options before upgrading: .. In `/var/kerberos/krb5kdc/kdc.conf` on the KDC, set `supported_enctypes` and do not include `des` or `des3`. .. For every host, in `/etc/krb5.conf` and any files in `/etc/krb5.conf.d`, set `allow_weak_crypto` to `false`. It is false by default. .. For every host, in `/etc/krb5.conf` and any files in `/etc/krb5.conf.d`, set `permitted_enctypes`, `default_tgs_enctypes`, and `default_tkt_enctypes`, and do not include `des` or `des3`. . If you do not experience any service interruptions with the test Kerberos settings from the previous step, remove them and upgrade. You do not need those settings after upgrading to the latest Kerberos packages.
Clone Of:
Environment:
Last Closed:	2020-12-08 18:45:13 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7264	0	None	None	None	2021-11-09 11:33:19 UTC

Description Josip Vilicic 2020-09-11 02:09:09 UTC

Description of problem:

Since there may be a large customer impact, we want to prominently document that single- and triple-DES have been deprecated in RHEL 8.3

--------------------------------------------

Additional info:

DES deprecation was first mentioned in the Release Note for this BZ:
   "Bug 1802334 - [Rebase] krb5: rebase to 1.18 "
   https://bugzilla.redhat.com/show_bug.cgi?id=1802334

   The `krb5` packages have been upgraded to upstream version 1.18.2. Notable fixes and enhancements include: 

   * Single- and triple-DES encryption types have been removed.

Note You need to log in before you can comment on or make changes to this bug.