[Bug 681201] New: Missing options in YaST / Kerberos client
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c0 Summary: Missing options in YaST / Kerberos client Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: All OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: mcaj@novell.com QAContact: jsrain@novell.com Found By: --- Blocker: --- Hi, We are using Ldap and kerberos identification. 1. We are using the keytab file (for allow NFS ) in /etc/krb5.keytab. This file is automatic generate on the server. Currently we are using wget and cgi e.g. wget http://nfs.mycompany.com/cgi-bin/get-key.cgi -O /etc/krb5.keytab in the cgi script are command for kerberos server (I can send it as well if you need it ) My suggestion is : Can you add box Download keytab file ? (similar as is for download certification for ldap client ? ) 2. Since Opensuse 11.3 we have been using the new option in /etc/krb5.cong "allow_weak_crypto = true" in the [libdefaults] part. It looks like new Kerberos version are using stronger encryption, witch is fine, but our enterprise server hasn't supported it yet. (SLES 11 SP1) My suggestion is : Can you add allow weak crypto check box in the Kerberos Client ? the best place would be on the first list of advanced setting I think. Ps : and what about one more list in the advanced setting for different type of encryption ?( like : des-cbc-crc des3-hmac-sha1 ) that would be nice too. Thank you. and If you need test it don't hesitate contact me. Martin -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201
https://bugzilla.novell.com/show_bug.cgi?id=681201#c
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=681201
https://bugzilla.novell.com/show_bug.cgi?id=681201#c
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=681201
https://bugzilla.novell.com/show_bug.cgi?id=681201#c1
Jiří Suchomel
My suggestion is : Can you add box Download keytab file ? (similar as is for download certification for ldap client ? )
I think it could be good.
My suggestion is : Can you add allow weak crypto check box in the Kerberos Client ? the best place would be on the first list of advanced setting I think.
I also think it's fine to add this one, however
Ps : and what about one more list in the advanced setting for different type of encryption ?( like : des-cbc-crc des3-hmac-sha1 ) that would be nice too.
I'm not sure about these. Michael, what do you think? Does yast2 kerberos-client deserve new options to be set from UI? (And Ludwig, what do you you think about those security options?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201
https://bugzilla.novell.com/show_bug.cgi?id=681201#c2
--- Comment #2 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=681201
https://bugzilla.novell.com/show_bug.cgi?id=681201#c4
Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=681201
https://bugzilla.novell.com/show_bug.cgi?id=681201#c6
--- Comment #6 from Jiří Suchomel
weak_crypto option is only available in newer versions of krb5. They have disabled single DES and you can enable it again with this option.
But some services only support single DES, e.g. nfsv4 using GSSAPI. As I understand this, nfsv4 using crypto routines from the kernel. And the kernel support only single DES. This may have changed in newer kernel versions which might also support 3DES.
I think a checkbox for allow_weak_crypto might be good, but configure a list of crypto things might be overkill.
So, is there a chance update for SLES will be released soon, se we actually do not need such option? See comment 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201
https://bugzilla.novell.com/show_bug.cgi?id=681201#c8
Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=681201
https://bugzilla.novell.com/show_bug.cgi?id=681201#c9
--- Comment #9 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=681201
https://bugzilla.novell.com/show_bug.cgi?id=681201#c10
Jiří Suchomel
participants (1)
-
bugzilla_noreply@novell.com