krb5 commit: Remove the v4 and afs3 salt types

Greg Hudson ghudson at mit.edu
Tue May 28 15:00:53 EDT 2019


https://github.com/krb5/krb5/commit/e0a35ff48c09a26ebb9aefd7e98855a84574b8be
commit e0a35ff48c09a26ebb9aefd7e98855a84574b8be
Author: Robbie Harwood <rharwood at redhat.com>
Date:   Fri May 24 13:11:44 2019 -0400

    Remove the v4 and afs3 salt types
    
    In preparation for removing single-DES support, remove the v4 and afs3
    salt types.  The afs3 salt type could only be used with single-DES
    keys, and the v4 salt type was only useful for single-DES keys from
    krb4 databases.
    
    [ghudson at mit.edu: wrote commit message]
    
    ticket: 8808

 doc/admin/conf_files/kdc_conf.rst                  |    2 -
 src/include/kdb.h                                  |    4 +-
 src/kadmin/testing/proto/kdc.conf.proto            |    2 +-
 src/kdc/kdc_preauth.c                              |   40 ++++---------------
 .../unit-test/api.current/chpass-principal-v2.exp  |    8 ++--
 .../unit-test/api.current/get-principal-v2.exp     |    4 +-
 src/lib/kdb/kdb5.c                                 |    4 --
 src/lib/kdb/kdb_cpw.c                              |   16 +-------
 src/lib/krb5/krb/str_conv.c                        |    2 -
 src/lib/krb5/krb/t_get_etype_info.py               |    7 ---
 src/man/kdc.conf.man                               |   16 +-------
 src/tests/dejagnu/config/default.exp               |   17 --------
 src/tests/t_etype_info.py                          |   24 +-----------
 src/tests/t_keytab.py                              |    5 --
 src/tests/t_renprinc.py                            |    2 +-
 src/tests/t_salt.py                                |   26 +------------
 src/util/k5test.py                                 |   11 -----
 17 files changed, 25 insertions(+), 165 deletions(-)

diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index c73791c..62d1bfc 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -917,10 +917,8 @@ follows:
 
 ================= ============================================
 normal            default for Kerberos Version 5
-v4                the only type used by Kerberos Version 4 (no salt)
 norealm           same as the default, without using realm information
 onlyrealm         uses only realm information as the salt
-afs3              AFS version 3, only used for compatibility with Kerberos 4 in AFS
 special           generate a random salt
 ================= ============================================
 
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 92f8458..0c48da6 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -73,11 +73,11 @@
 
 /* Salt types */
 #define KRB5_KDB_SALTTYPE_NORMAL        0
-#define KRB5_KDB_SALTTYPE_V4            1
+/* #define KRB5_KDB_SALTTYPE_V4            1 */
 #define KRB5_KDB_SALTTYPE_NOREALM       2
 #define KRB5_KDB_SALTTYPE_ONLYREALM     3
 #define KRB5_KDB_SALTTYPE_SPECIAL       4
-#define KRB5_KDB_SALTTYPE_AFS3          5
+/* #define KRB5_KDB_SALTTYPE_AFS3          5 */
 #define KRB5_KDB_SALTTYPE_CERTHASH      6
 
 /* Attributes */
diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto
index 61283ac..45df78b 100644
--- a/src/kadmin/testing/proto/kdc.conf.proto
+++ b/src/kadmin/testing/proto/kdc.conf.proto
@@ -12,5 +12,5 @@
 		kadmind_port = 1751
 		kpasswd_port = 1752
 		master_key_type = des3-hmac-sha1
-		supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal des-cbc-raw:normal
+		supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-raw:normal
 	}
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index caf133c..508a5cf 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -781,8 +781,8 @@ add_etype_info(krb5_context context, krb5_kdcpreauth_rock rock,
     return add_pa_data_element(pa_list, pa);
 }
 
-/* Add PW-SALT or AFS3-SALT entries to pa_list as appropriate for the request
- * and client principal. */
+/* Add PW-SALT entries to pa_list as appropriate for the request and client
+ * principal. */
 static krb5_error_code
 add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock,
             krb5_pa_data ***pa_list)
@@ -801,21 +801,13 @@ add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock,
     if (ret)
         return 0;
 
-    if (salttype == KRB5_KDB_SALTTYPE_AFS3) {
-        ret = alloc_pa_data(KRB5_PADATA_AFS3_SALT, salt->length + 1, &pa);
-        if (ret)
-            goto cleanup;
-        memcpy(pa->contents, salt->data, salt->length);
-        pa->contents[salt->length] = '\0';
-    } else {
-        /* Steal memory from salt to make the pa-data entry. */
-        ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa);
-        if (ret)
-            goto cleanup;
-        pa->length = salt->length;
-        pa->contents = (uint8_t *)salt->data;
-        salt->data = NULL;
-    }
+    /* Steal memory from salt to make the pa-data entry. */
+    ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa);
+    if (ret)
+        goto cleanup;
+    pa->length = salt->length;
+    pa->contents = (uint8_t *)salt->data;
+    salt->data = NULL;
 
     /* add_pa_data_element() claims pa on success or failure. */
     ret = add_pa_data_element(pa_list, pa);
@@ -1545,20 +1537,6 @@ _make_etype_info_entry(krb5_context context,
                                    &salttype, &salt);
     if (retval)
         goto cleanup;
-    if (etype_info2 && salttype == KRB5_KDB_SALTTYPE_AFS3) {
-        switch (etype) {
-        case ENCTYPE_DES_CBC_CRC:
-        case ENCTYPE_DES_CBC_MD4:
-        case ENCTYPE_DES_CBC_MD5:
-            retval = alloc_data(&entry->s2kparams, 1);
-            if (retval)
-                goto cleanup;
-            entry->s2kparams.data[0] = 1;
-            break;
-        default:
-            break;
-        }
-    }
 
     entry->length = salt->length;
     entry->salt = (unsigned char *)salt->data;
diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
index 8361fb0..db899a1 100644
--- a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
@@ -18,8 +18,8 @@ proc test200 {} {
 
     # I'd like to specify a long list of keysalt tuples and make sure
     # that chpass does the right thing, but we can only use those
-    # enctypes that krbtgt has a key for: des-cbc-crc:normal and
-    # des-cbc-crc:v4, according to the prototype kdc.conf.
+    # enctypes that krbtgt has a key for: des-cbc-crc:normal
+    # according to the prototype kdc.conf.
     if {! [cmd [format {
 	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
 		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
@@ -53,10 +53,10 @@ proc test200 {} {
     }
 
     # XXX Perhaps I should actually check the key type returned.
-    if {$num_keys == 3} {
+    if {$num_keys == 2} {
 	pass "$test"
     } else {
-	fail "$test: $num_keys keys, should be 3"
+	fail "$test: $num_keys keys, should be 2"
     }
     if { ! [cmd {kadm5_destroy $server_handle}]} {
 	perror "$test: unexpected failure in destroy"
diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
index 86c45f4..8526897 100644
--- a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
@@ -143,8 +143,8 @@ proc test101_102 {rpc} {
     }
 
     set failed 0
-    if {$num_keys != 3} {
-	fail "$test: num_keys $num_keys should be 3"
+    if {$num_keys != 2} {
+	fail "$test: num_keys $num_keys should be 2"
 	set failed 1
     }
     for {set i 0} {$i < $num_keys} {incr i} {
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index 0c25bf2..b910bd3 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -2318,15 +2318,11 @@ krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key,
         if (retval)
             return retval;
         break;
-    case KRB5_KDB_SALTTYPE_V4:
-        sdata = empty_data();
-        break;
     case KRB5_KDB_SALTTYPE_NOREALM:
         retval = krb5_principal2salt_norealm(context, princ, &sdata);
         if (retval)
             return retval;
         break;
-    case KRB5_KDB_SALTTYPE_AFS3:
     case KRB5_KDB_SALTTYPE_ONLYREALM:
         return krb5_copy_data(context, &princ->realm, salt_out);
     case KRB5_KDB_SALTTYPE_SPECIAL:
diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c
index 03efc28..450860f 100644
--- a/src/lib/kdb/kdb_cpw.c
+++ b/src/lib/kdb/kdb_cpw.c
@@ -260,7 +260,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
     krb5_keysalt          key_salt;
     krb5_keyblock         key;
     krb5_data             pwd;
-    krb5_data             afs_params = string2data("\1"), *s2k_params;
     int                   i, j;
     krb5_key_data        *kd_slot;
 
@@ -268,7 +267,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
         krb5_boolean similar;
 
         similar = 0;
-        s2k_params = NULL;
 
         /*
          * We could use krb5_keysalt_iterate to replace this loop, or use
@@ -316,18 +314,6 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
                                               &key_salt.data)))
                 return(retval);
             break;
-        case KRB5_KDB_SALTTYPE_V4:
-            key_salt.data.length = 0;
-            key_salt.data.data = 0;
-            break;
-        case KRB5_KDB_SALTTYPE_AFS3:
-            retval = krb5int_copy_data_contents(context,
-                                                &db_entry->princ->realm,
-                                                &key_salt.data);
-            if (retval)
-                return retval;
-            s2k_params = &afs_params;
-            break;
         case KRB5_KDB_SALTTYPE_SPECIAL:
             retval = make_random_salt(context, &key_salt);
             if (retval)
@@ -342,7 +328,7 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
         retval = krb5_c_string_to_key_with_params(context,
                                                   ks_tuple[i].ks_enctype,
                                                   &pwd, &key_salt.data,
-                                                  s2k_params, &key);
+                                                  NULL, &key);
         if (retval) {
             free(key_salt.data.data);
             return retval;
diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c
index 3d05724..c8421a8 100644
--- a/src/lib/krb5/krb/str_conv.c
+++ b/src/lib/krb5/krb/str_conv.c
@@ -61,11 +61,9 @@ struct salttype_lookup_entry {
 #include "kdb.h"
 static const struct salttype_lookup_entry salttype_table[] = {
     { KRB5_KDB_SALTTYPE_NORMAL,     "normal"     },
-    { KRB5_KDB_SALTTYPE_V4,         "v4",        },
     { KRB5_KDB_SALTTYPE_NOREALM,    "norealm",   },
     { KRB5_KDB_SALTTYPE_ONLYREALM,  "onlyrealm", },
     { KRB5_KDB_SALTTYPE_SPECIAL,    "special",   },
-    { KRB5_KDB_SALTTYPE_AFS3,       "afs3",      },
 };
 static const int salttype_table_nents = sizeof(salttype_table)/
     sizeof(salttype_table[0]);
diff --git a/src/lib/krb5/krb/t_get_etype_info.py b/src/lib/krb5/krb/t_get_etype_info.py
index 7c400be..3c91685 100644
--- a/src/lib/krb5/krb/t_get_etype_info.py
+++ b/src/lib/krb5/krb/t_get_etype_info.py
@@ -9,9 +9,6 @@ realm.run([kadminl, 'ank', '-nokey', '+preauth', 'pnokey'])
 realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
 realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
            'pexp'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth',
-           'pafs'])
 
 # Extract the explicit salt values from the database.
 out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
@@ -56,8 +53,4 @@ realm.run(['./t_get_etype_info', 'exp'],
 realm.run(['./t_get_etype_info', 'pexp'],
           expected_msg='etype: aes256-cts\nsalt: ' + pexp_salt + '\n')
 
-msg = 'etype: des-cbc-crc\nsalt: KRBTEST.COM\ns2kparams: 01\n'
-realm.run(['./t_get_etype_info', 'afs'], expected_msg=msg)
-realm.run(['./t_get_etype_info', 'pafs'], expected_msg=msg)
-
 success('krb5_get_etype_info() tests')
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 05cc8f6..4a75be8 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDC.CONF" "5" " " "1.17" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.18" "MIT Kerberos"
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
 .
@@ -1148,12 +1148,6 @@ default for Kerberos Version 5
 T}
 _
 T{
-v4
-T}	T{
-the only type used by Kerberos Version 4 (no salt)
-T}
-_
-T{
 norealm
 T}	T{
 same as the default, without using realm information
@@ -1166,12 +1160,6 @@ uses only realm information as the salt
 T}
 _
 T{
-afs3
-T}	T{
-AFS version 3, only used for compatibility with Kerberos 4 in AFS
-T}
-_
-T{
 special
 T}	T{
 generate a random salt
@@ -1233,6 +1221,6 @@ krb5.conf(5), krb5kdc(8), kadm5.acl(5)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2018, MIT
+1985-2019, MIT
 .\" Generated by docutils manpage writer.
 .
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index ea9bedd..c061d76 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -239,22 +239,6 @@ set passes {
 	{dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]}
     }
     {
-	des-v4
-	mode=udp
-	des3_krbtgt=0
-	{supported_enctypes=des-cbc-crc:v4}
-	{default_tkt_enctypes(client)=des-cbc-crc}
-	{dummy=[verbose -log "DES TGT, DES-CRC enctype, V4 salt"]}
-    }
-    {
-	des-md5-v4
-	mode=udp
-	des3_krbtgt=0
-	{supported_enctypes=des-cbc-md5:v4 des-cbc-crc:v4}
-	{default_tkt_enctypes(client)=des-cbc-md5 des-cbc-crc}
-	{dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]}
-    }
-    {
 	all-enctypes
 	mode=udp
 	des3_krbtgt=0
@@ -356,7 +340,6 @@ set unused_passes {
 	aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \
 	des3-cbc-sha1:normal des3-cbc-sha1:none \
 	des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
-	des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \
 	}
 	{dummy=[verbose -log "DES3 TGT, default enctypes"]}
     }
diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py
index 2026e78..c21d054 100644
--- a/src/tests/t_etype_info.py
+++ b/src/tests/t_etype_info.py
@@ -1,6 +1,6 @@
 from k5test import *
 
-supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-crc:afs3'
+supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac'
 conf = {'libdefaults': {'allow_weak_crypto': 'true'},
         'realms': {'$realm': {'supported_enctypes': supported_enctypes}}}
 realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
@@ -43,28 +43,6 @@ test_etinfo('preauthuser', 'rc4-hmac-exp des3 rc4 des-cbc-crc',
 test_etinfo('preauthuser', 'rc4 aes256-cts',
             ['error etype_info2 rc4-hmac KRBTEST.COMpreauthuser'])
 
-# AFS3 salt for DES enctypes is conveyed using s2kparams in
-# PA-ETYPE-INFO2, not at all in PA-ETYPE-INFO, and with a special padata
-# type instead of PA-PW-SALT.
-test_etinfo('user', 'des-cbc-crc rc4',
-            ['asrep etype_info2 des-cbc-crc KRBTEST.COM 01',
-             'asrep etype_info des-cbc-crc KRBTEST.COM',
-             'asrep afs3_salt KRBTEST.COM'])
-test_etinfo('preauthuser', 'des-cbc-crc rc4',
-            ['error etype_info2 des-cbc-crc KRBTEST.COM 01',
-             'error etype_info des-cbc-crc KRBTEST.COM'])
-
-# DES keys can be used with other DES enctypes.  The requested enctype
-# shows up in the etype-info, not the database key enctype.
-test_etinfo('user', 'des-cbc-md4 rc4',
-            ['asrep etype_info2 des-cbc-md4 KRBTEST.COM 01',
-             'asrep etype_info des-cbc-md4 KRBTEST.COM',
-             'asrep afs3_salt KRBTEST.COM'])
-test_etinfo('user', 'des-cbc-md5 rc4',
-            ['asrep etype_info2 des KRBTEST.COM 01',
-             'asrep etype_info des KRBTEST.COM',
-             'asrep afs3_salt KRBTEST.COM'])
-
 # If no keys are found matching the request enctypes, a
 # preauth-required error can be generated with no etype-info at all
 # (to allow for preauth mechs which don't depend on long-term keys).
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
index 72e09da..633f7c7 100755
--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
@@ -155,9 +155,6 @@ realm.run([kadminl, 'ank', '-pw', 'pw', 'default'])
 realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
 realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
            'pexp'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs'])
-realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth',
-           'pafs'])
 
 # Extract one of the explicit salt values from the database.
 out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
@@ -187,8 +184,6 @@ test_addent(realm, 'default', '-f')
 test_addent(realm, 'default', '-f -e aes128-cts')
 test_addent(realm, 'exp', '-f')
 test_addent(realm, 'pexp', '-f')
-test_addent(realm, 'afs', '-f')
-test_addent(realm, 'pafs', '-f')
 
 success('Keytab-related tests')
 success('Keytab-related tests')
diff --git a/src/tests/t_renprinc.py b/src/tests/t_renprinc.py
index 46cbed4..3dbb3e7 100755
--- a/src/tests/t_renprinc.py
+++ b/src/tests/t_renprinc.py
@@ -25,7 +25,7 @@ from k5test import *
 enctype = "aes128-cts"
 
 realm = K5Realm(create_host=False, create_user=False)
-salttypes = ('normal', 'v4', 'norealm', 'onlyrealm')
+salttypes = ('normal', 'norealm', 'onlyrealm')
 
 # For a variety of salt types, test that we can rename a principal and
 # still get tickets with the same password.
diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py
index 278911a..008efcb 100755
--- a/src/tests/t_salt.py
+++ b/src/tests/t_salt.py
@@ -15,13 +15,9 @@ def test_salt(realm, e1, salt, e2):
     realm.run([kadminl, 'delprinc', 'user'])
 
 # Enctype/salt pairs chosen with non-default salt types.
-# The enctypes are mostly arbitrary, though afs3 must only be used with des.
-# We do not enforce that v4 salts must only be used with des, but it seems
-# like a good idea.
-salts = [('des-cbc-crc', 'afs3'),
-         ('des3-cbc-sha1', 'norealm'),
+# The enctypes are mostly arbitrary.
+salts = [('des3-cbc-sha1', 'norealm'),
          ('arcfour-hmac', 'onlyrealm'),
-         ('des-cbc-crc', 'v4'),
          ('aes128-cts-hmac-sha1-96', 'special')]
 # These enctypes are chosen to cover the different string-to-key routines.
 # Omit ":normal" from aes256 to check that salttype defaulting works.
@@ -56,22 +52,4 @@ dup_kstypes = ['arcfour-hmac-md5:normal,rc4-hmac:normal',
 for ks in dup_kstypes:
     test_dup(realm, ks)
 
-# Attempt to create a principal with a non-des enctype and the afs3 salt,
-# verifying that the expected error is received and the principal creation
-# fails.
-def test_reject_afs3(realm, etype):
-    query = 'ank -e ' + etype + ':afs3 -pw password princ1'
-    realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password',
-               'princ1'], expected_code=1,
-              expected_msg='Invalid key generation parameters from KDC')
-    realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1,
-              expected_msg='Principal does not exist')
-
-# Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes.
-# We do not currently do any verification on the key-generation parameters
-# for the triple-DES enctypes, so that test is commented out.
-test_reject_afs3(realm, 'arcfour-hmac')
-test_reject_afs3(realm, 'aes256-cts-hmac-sha1-96')
-#test_reject_afs3(realm, 'des3-cbc-sha1')
-
 success("Salt types")
diff --git a/src/util/k5test.py b/src/util/k5test.py
index 3aec1ef..b6d93f1 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1246,17 +1246,6 @@ _passes = [
     # No special settings; exercises AES256.
     ('default', None, None, None),
 
-    # Exercise a DES enctype and the v4 salt type.
-    ('desv4', None,
-     {'libdefaults': {
-                'default_tgs_enctypes': 'des-cbc-crc',
-                'default_tkt_enctypes': 'des-cbc-crc',
-                'permitted_enctypes': 'des-cbc-crc',
-                'allow_weak_crypto': 'true'}},
-     {'realms': {'$realm': {
-                    'supported_enctypes': 'des-cbc-crc:v4',
-                    'master_key_type': 'des-cbc-crc'}}}),
-
     # Exercise the DES3 enctype.
     ('des3', None,
      {'libdefaults': {


More information about the cvs-krb5 mailing list