NTLM has been deprecated for years and is obsolete. Support for it should be removed as a SASL mechanism. This is no longer supported by cyrus-sasl upstream. The cyrus-sasl-ntlm subpackage should be removed.
- Name: Rob Crittenden
- Email: firstname.lastname@example.org.
- Targeted release: Fedora Linux 40
- Last updated: 2024-02-28
- Discussion thread
- FESCo issue: #3159
- Tracker bug: #2263305
- Release notes tracker: #1092
NTLM authentication is a family of authentication protocols to authenticate users and computers. It has been supplanted by more secure protocols (e.g. Kerberos). Microsoft is removing support for NTLM in favor of Kerberos in Windows to boost security
Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy checks (CRC) or MD5 for integrity, and RC4 for encryption. Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM.
Benefit to Fedora
The cyrus-sasl project dropped support for the ntlm plugin in July, 2023. This proposal removes an unsupported and insecure protocol. Without upstream support from upstream this plugin is potentially a heavy burden for Fedora packagers and a risk to security.
- Proposal owners:
Proposal owner: Deprecate cyrus-sasl-ntlm. This will allow for sub-package from the distribution in a future release.
- Other developers:
- There do not appear to be any packages that rely on cyrus-sasl-ntlm
- Release engineering:
Some coordination may be necessary so the subpackage never appears in a given Fedora release. Ideally it is removed in rawhide before the Fedora-next fork.
- Policies and guidelines: Release notes will be needed to announce the deprecation and removal.
- Trademark approval: N/A (not needed for this Change)
- Alignment with Community Initiatives: N/A
Existing users of cyrus-sasl-ntlm will need to authenticate using a different mechanism.
How To Test
This will only affect a narrow set of users. It will be an exercise for the end-user to determine which mechanism(s) may be a suitable replacement.
This will not be visible to users that aren't using cyrus-sasl-ntml. It will be very visible to those that are as they will have to revise their authentication configuration in order to upgrade or install the cyrus-sasl package.
The proposal involves removing a subpackage from the spec file. There backup plan is to not do it.
This was removed in upstream PR https://github.com/cyrusimap/cyrus-sasl/issues/708