[Bug 681201] New: Missing options in YaST / Kerberos client
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c0 Summary: Missing options in YaST / Kerberos client Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: All OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: mcaj@novell.com QAContact: jsrain@novell.com Found By: --- Blocker: --- Hi, We are using Ldap and kerberos identification. 1. We are using the keytab file (for allow NFS ) in /etc/krb5.keytab. This file is automatic generate on the server. Currently we are using wget and cgi e.g. wget http://nfs.mycompany.com/cgi-bin/get-key.cgi -O /etc/krb5.keytab in the cgi script are command for kerberos server (I can send it as well if you need it ) My suggestion is : Can you add box Download keytab file ? (similar as is for download certification for ldap client ? ) 2. Since Opensuse 11.3 we have been using the new option in /etc/krb5.cong "allow_weak_crypto = true" in the [libdefaults] part. It looks like new Kerberos version are using stronger encryption, witch is fine, but our enterprise server hasn't supported it yet. (SLES 11 SP1) My suggestion is : Can you add allow weak crypto check box in the Kerberos Client ? the best place would be on the first list of advanced setting I think. Ps : and what about one more list in the advanced setting for different type of encryption ?( like : des-cbc-crc des3-hmac-sha1 ) that would be nice too. Thank you. and If you need test it don't hesitate contact me. Martin -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium CC| |jsuchome@novell.com AssignedTo|bnc-team-screening@forge.pr |jsuchome@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c1 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO CC| |lnussel@novell.com InfoProvider| |mc@novell.com --- Comment #1 from Jiří Suchomel <jsuchome@novell.com> 2011-03-22 10:16:22 UTC --- (In reply to comment #0)
My suggestion is : Can you add box Download keytab file ? (similar as is for download certification for ldap client ? )
I think it could be good.
My suggestion is : Can you add allow weak crypto check box in the Kerberos Client ? the best place would be on the first list of advanced setting I think.
I also think it's fine to add this one, however
Ps : and what about one more list in the advanced setting for different type of encryption ?( like : des-cbc-crc des3-hmac-sha1 ) that would be nice too.
I'm not sure about these. Michael, what do you think? Does yast2 kerberos-client deserve new options to be set from UI? (And Ludwig, what do you you think about those security options?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c2 --- Comment #2 from Ludwig Nussel <lnussel@novell.com> 2011-03-22 11:46:34 CET --- I don't know the first thing about kerberos so I can't judge which options make sense. Downloading the keytab via an unauthenticated, unencrypted channel seems to be odd though. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c4 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED CC| |mc@novell.com InfoProvider|mc@novell.com | --- Comment #4 from Michael Calmer <mc@novell.com> 2011-03-22 11:47:53 UTC --- weak_crypto option is only available in newer versions of krb5. They have disabled single DES and you can enable it again with this option. But some services only support single DES, e.g. nfsv4 using GSSAPI. As I understand this, nfsv4 using crypto routines from the kernel. And the kernel support only single DES. This may have changed in newer kernel versions which might also support 3DES. I think a checkbox for allow_weak_crypto might be good, but configure a list of crypto things might be overkill. About the keytab: using wget is not a good option. The kadmin command provide an interface to add a key to a keytab. $> kadmin ... kadmin> ktadd host/xyz.example.com add the key for the principal host/xyz.example.com to the local keytab. This command works remote. Using this the kvno changes (key version number). If you need the same key on different hosts you need to copy it in a different way. Supporting things like this would lead into writing a GUI for kadmin. Which is in general a good idea, but overkill for yast2-kerberos-client. (I think yast2-kerberos-client should setup a working kerberos authentication and should not be a full admin interface) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c6 --- Comment #6 from Jiří Suchomel <jsuchome@novell.com> 2011-03-25 09:39:18 UTC --- (In reply to comment #4)
weak_crypto option is only available in newer versions of krb5. They have disabled single DES and you can enable it again with this option.
But some services only support single DES, e.g. nfsv4 using GSSAPI. As I understand this, nfsv4 using crypto routines from the kernel. And the kernel support only single DES. This may have changed in newer kernel versions which might also support 3DES.
I think a checkbox for allow_weak_crypto might be good, but configure a list of crypto things might be overkill.
So, is there a chance update for SLES will be released soon, se we actually do not need such option? See comment 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c8 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|mc@novell.com | --- Comment #8 from Michael Calmer <mc@novell.com> 2011-04-01 08:02:55 UTC --- We will never have a major version update for kerberos in SLES11. And Comment#3 is not fully correct. Kerberos, also on sles11, support strong crypto. New versions of kerberos try to remove the weak crypto stuff. The checkbox is there to enable support of weak crypto again, because some services (e.g. nfsv4) require weak crypto. They do not work with strong crypto. So, if you don't want weak crypto, you need to fix the services, not kerberos :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c9 --- Comment #9 from Jiří Suchomel <jsuchome@novell.com> 2011-04-01 09:36:05 UTC --- The reason I'm asking is, does it make sense to add 'weak crypto' checkbox to kerberos-client, or should it be better to solve on server's side? On on NFS4... do you believe is there any chance? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=681201 https://bugzilla.novell.com/show_bug.cgi?id=681201#c10 Jiří Suchomel <jsuchome@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WONTFIX --- Comment #10 from Jiří Suchomel <jsuchome@novell.com> 2011-05-23 07:53:48 UTC --- Well, according to Michael's comments, I now think it would not make sense to add such extra options to YaST module... (Sorry, Martin, for encouraging you to file a request) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com