Use only AES enctypes by default

Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

1 files changed, 3 insertions, 11 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 1a8ef47b0..5dc606d22 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -55,18 +55,10 @@ extern const char *ipa_realm_dn;
 extern const char *ipa_etc_config_dn;
 extern const char *ipa_pwd_config_dn;
 
-/* These are the default enc:salt types if nothing is defined.
- * TODO: retrieve the configure set of ecntypes either from the
- * kfc.conf file or by synchronizing the file content into
- * the directory */
+/* These are the default enc:salt types if nothing is defined in LDAP */
 static const char *ipapwd_def_encsalts[] = {
-    "des3-hmac-sha1:normal",
-/*    "arcfour-hmac:normal",
-    "des-hmac-sha1:normal",
-    "des-cbc-md5:normal", */
-    "des-cbc-crc:normal",
-/*    "des-cbc-crc:v4",
-    "des-cbc-crc:afs3", */
+    "aes256-cts:special",
+    "aes128-cts:special",
     NULL
 };