[PATCH] nss: Remove cryptographic key from nss_files
Florian Weimer
fweimer@redhat.com
Mon Jul 6 17:32:43 GMT 2020
* Zack Weinberg:
> On Tue, Jun 30, 2020 at 11:52 AM Florian Weimer via Libc-alpha
> <libc-alpha@sourceware.org> wrote:
>>
>> The interface has hard-coded buffer sizes and is therefore tied to
>> DES. It also does not match current practice where different
>> services on the same host use different key material.
>
> I just want to suggest a small tweak to the wording in NEWS:
>
>> +* The "files" NSS module can no longer process DES public or private
>> + keys. The contents of the /etc/publickey file is ignored.
>
> This will be confusing to anyone who knows what DES is but not how
> Sun's "secure" RPC extension used it, because DES is a symmetric
> cipher. I had to look this up myself and I'm still not sure I get it.
> I suggest instead
>
> + * The "files" NSS module no longer supports the "key" database
> + (used for secure RPC). The contents of the /etc/publickey file
> + will be ignored, regardless of the settings in /etc/nsswitch.conf.
> + (This method of storing RPC keys only supported the obsolete and
> + insecure AUTH_DES flavor of secure RPC.)
I've picked this up for V2, thanks.
Florian
More information about the Libc-alpha
mailing list