summaryrefslogtreecommitdiffstats
path: root/net/sunrpc/Kconfig
diff options
context:
space:
mode:
authorChuck Lever <chuck.lever@oracle.com>2019-02-11 17:24:43 +0100
committerAnna Schumaker <Anna.Schumaker@Netapp.com>2019-02-13 19:33:12 +0100
commitfe9a270519c72bccb3af524db7ea6c7b67700d50 (patch)
treec3a0026af4b4f69ed5880fd508c3e776870f92ab /net/sunrpc/Kconfig
parentSUNRPC: Remove rpc_xprt::tsh_size (diff)
downloadlinux-fe9a270519c72bccb3af524db7ea6c7b67700d50.tar.xz
linux-fe9a270519c72bccb3af524db7ea6c7b67700d50.zip
SUNRPC: Add build option to disable support for insecure enctypes
Enable distributions to enforce the rejection of ancient and insecure Kerberos enctypes in the kernel's RPCSEC_GSS implementation. These are the single-DES encryption types that were deprecated in 2012 by RFC 6649. Enctypes that were deprecated more recently (by RFC 8429) remain fully supported for now because they are still likely to be widely used. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Acked-by: Simo Sorce <simo@redhat.com> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Diffstat (limited to 'net/sunrpc/Kconfig')
-rw-r--r--net/sunrpc/Kconfig16
1 files changed, 16 insertions, 0 deletions
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index ac09ca803296..83f5617bae07 100644
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -34,6 +34,22 @@ config RPCSEC_GSS_KRB5
If unsure, say Y.
+config CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES
+ bool "Secure RPC: Disable insecure Kerberos encryption types"
+ depends on RPCSEC_GSS_KRB5
+ default n
+ help
+ Choose Y here to disable the use of deprecated encryption types
+ with the Kerberos version 5 GSS-API mechanism (RFC 1964). The
+ deprecated encryption types include DES-CBC-MD5, DES-CBC-CRC,
+ and DES-CBC-MD4. These types were deprecated by RFC 6649 because
+ they were found to be insecure.
+
+ N is the default because many sites have deployed KDCs and
+ keytabs that contain only these deprecated encryption types.
+ Choosing Y prevents the use of known-insecure encryption types
+ but might result in compatibility problems.
+
config SUNRPC_DEBUG
bool "RPC: Enable dprintk debugging"
depends on SUNRPC && SYSCTL