Use only AES enctypes by default

Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740

2 files changed, 3 insertions, 13 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 1a8ef47b0..5dc606d22 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -55,18 +55,10 @@ extern const char *ipa_realm_dn;
 extern const char *ipa_etc_config_dn;
 extern const char *ipa_pwd_config_dn;
 
-/* These are the default enc:salt types if nothing is defined.
- * TODO: retrieve the configure set of ecntypes either from the
- * kfc.conf file or by synchronizing the file content into
- * the directory */
+/* These are the default enc:salt types if nothing is defined in LDAP */
 static const char *ipapwd_def_encsalts[] = {
-    "des3-hmac-sha1:normal",
-/*    "arcfour-hmac:normal",
-    "des-hmac-sha1:normal",
-    "des-cbc-md5:normal", */
-    "des-cbc-crc:normal",
-/*    "des-cbc-crc:v4",
-    "des-cbc-crc:afs3", */
+    "aes256-cts:special",
+    "aes128-cts:special",
     NULL
 };
 
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index 41e77952a..1f556382e 100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -30,8 +30,6 @@ krbMaxTicketLife: 86400
 krbMaxRenewableAge: 604800
 krbDefaultEncSaltTypes: aes256-cts:special
 krbDefaultEncSaltTypes: aes128-cts:special
-krbDefaultEncSaltTypes: des3-hmac-sha1:special
-krbDefaultEncSaltTypes: arcfour-hmac:special
 
 # Default password Policy
 dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX