[PATCH] nss: Remove cryptographic key from nss_files
Zack Weinberg
zackw@panix.com
Tue Jun 30 18:08:30 GMT 2020
On Tue, Jun 30, 2020 at 11:52 AM Florian Weimer via Libc-alpha
<libc-alpha@sourceware.org> wrote:
>
> The interface has hard-coded buffer sizes and is therefore tied to
> DES. It also does not match current practice where different
> services on the same host use different key material.
I just want to suggest a small tweak to the wording in NEWS:
> +* The "files" NSS module can no longer process DES public or private
> + keys. The contents of the /etc/publickey file is ignored.
This will be confusing to anyone who knows what DES is but not how
Sun's "secure" RPC extension used it, because DES is a symmetric
cipher. I had to look this up myself and I'm still not sure I get it.
I suggest instead
+ * The "files" NSS module no longer supports the "key" database
+ (used for secure RPC). The contents of the /etc/publickey file
+ will be ignored, regardless of the settings in /etc/nsswitch.conf.
+ (This method of storing RPC keys only supported the obsolete and
+ insecure AUTH_DES flavor of secure RPC.)
zw
More information about the Libc-alpha
mailing list