tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
SUNRPC: Remove RPCSEC_GSS_KRB5_ENCTYPES_DES
Make it impossible to enable support for the DES or DES3 Kerberos
encryption types in SunRPC. These enctypes were deprecated by RFCs
6649 and 8429 because they are known to be insecure.
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
-29
-1
net/sunrpc/.kunitconfig
-1
net/sunrpc/.kunitconfig
-28
net/sunrpc/Kconfig
-28
net/sunrpc/Kconfig
···
34
34
35
35
If unsure, say Y.
36
36
37
-
config RPCSEC_GSS_KRB5_SIMPLIFIED
38
-
bool
39
-
depends on RPCSEC_GSS_KRB5
40
-
41
37
config RPCSEC_GSS_KRB5_CRYPTOSYSTEM
42
38
bool
43
39
depends on RPCSEC_GSS_KRB5
44
-
45
-
config RPCSEC_GSS_KRB5_ENCTYPES_DES
46
-
bool "Enable Kerberos enctypes based on DES (deprecated)"
47
-
depends on RPCSEC_GSS_KRB5
48
-
depends on CRYPTO_CBC && CRYPTO_CTS && CRYPTO_ECB
49
-
depends on CRYPTO_HMAC && CRYPTO_MD5 && CRYPTO_SHA1
50
-
depends on CRYPTO_DES
51
-
default n
52
-
select RPCSEC_GSS_KRB5_SIMPLIFIED
53
-
help
54
-
Choose Y to enable the use of deprecated Kerberos 5
55
-
encryption types that utilize Data Encryption Standard
56
-
(DES) based ciphers. These include des-cbc-md5,
57
-
des-cbc-crc, and des-cbc-md4, which were deprecated by
58
-
RFC 6649, and des3-cbc-sha1, which was deprecated by RFC
59
-
8429.
60
-
61
-
These encryption types are known to be insecure, therefore
62
-
the default setting of this option is N. Support for these
63
-
encryption types is available only for compatibility with
64
-
legacy NFS client and server implementations.
65
-
66
-
Removal of support is planned for a subsequent kernel
67
-
release.
68
40
69
41
config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1
70
42
bool "Enable Kerberos enctypes based on AES and SHA-1"