[PATCH] nss: Remove cryptographic key from nss_files

Zack Weinberg zackw@panix.com
Tue Jun 30 18:08:30 GMT 2020

On Tue, Jun 30, 2020 at 11:52 AM Florian Weimer via Libc-alpha
<libc-alpha@sourceware.org> wrote:
> The interface has hard-coded buffer sizes and is therefore tied to
> DES.  It also does not match current practice where different
> services on the same host use different key material.

I just want to suggest a small tweak to the wording in NEWS:

> +* The "files" NSS module can no longer process DES public or private
> +  keys.  The contents of the /etc/publickey file is ignored.

This will be confusing to anyone who knows what DES is but not how
Sun's "secure" RPC extension used it, because DES is a symmetric
cipher.  I had to look this up myself and I'm still not sure I get it.
I suggest instead

+ * The "files" NSS module no longer supports the "key" database
+ (used for secure RPC).  The contents of the /etc/publickey file
+ will be ignored, regardless of the settings in /etc/nsswitch.conf.
+ (This method of storing RPC keys only supported the obsolete and
+ insecure AUTH_DES flavor of secure RPC.)


More information about the Libc-alpha mailing list