2357212 – Disallow RC4 HMAC-MD5 session keys by default [fedora]

Bug 2357212 - Disallow RC4 HMAC-MD5 session keys by default [fedora]

Summary: Disallow RC4 HMAC-MD5 session keys by default [fedora]

Keywords:
Status:	CLOSED DUPLICATE of bug 2359705
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Julien Rische
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-03 14:46 UTC by Julien Rische
Modified:	2025-04-15 09:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-04-15 09:30:32 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-12104	0	None	None	None	2025-04-03 14:48:20 UTC

Description Julien Rische 2025-04-03 14:46:55 UTC

As explained in the section "The problem with RC4-HMAC" of the following document, using the arcfour-hmac-md5 as encryption type for session keys is vulnerable to attacks based on MD5 collision:
https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf

This encryption type should be disallowed for session keys by default.

Reproducible: Always

Comment 1 Julien Rische 2025-04-15 09:30:32 UTC


*** This bug has been marked as a duplicate of bug 2359672 ***

Comment 2 Julien Rische 2025-04-15 09:31:28 UTC


*** This bug has been marked as a duplicate of bug 2359705 ***

Note You need to log in before you can comment on or make changes to this bug.