Deprecate_ntlm_in_cyrus_sasl

Summary

NTLM has been deprecated for years and is obsolete. Support for it should be removed as a SASL mechanism. This is no longer supported by cyrus-sasl upstream. The cyrus-sasl-ntlm subpackage should be removed.

Owner

• Name: Rob Crittenden
• Email: rcritten@redhat.com.

Current status

• Targeted release: Fedora Linux 40
• Last updated: 2024-02-28
• Discussion thread
• Announced
• FESCo issue: #3159
• Tracker bug: #2263305
• Release notes tracker: #1092

Detailed Description

NTLM authentication is a family of authentication protocols to authenticate users and computers. It has been supplanted by more secure protocols (e.g. Kerberos). Microsoft is removing support for NTLM in favor of Kerberos in Windows to boost security

Since 2010, Microsoft no longer recommends NTLM in applications:

   Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy checks (CRC) or MD5 for integrity, and RC4 for encryption.
   Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM.

Feedback

Benefit to Fedora

The cyrus-sasl project dropped support for the ntlm plugin in July, 2023. This proposal removes an unsupported and insecure protocol. Without upstream support from upstream this plugin is potentially a heavy burden for Fedora packagers and a risk to security.

Scope

• Proposal owners:

Proposal owner: Deprecate cyrus-sasl-ntlm. This will allow for sub-package from the distribution in a future release.

• Other developers:
  • There do not appear to be any packages that rely on cyrus-sasl-ntlm

• Release engineering:

Some coordination may be necessary so the subpackage never appears in a given Fedora release. Ideally it is removed in rawhide before the Fedora-next fork.

• Policies and guidelines: Release notes will be needed to announce the deprecation and removal.

• Trademark approval: N/A (not needed for this Change)

• Alignment with Community Initiatives: N/A

Upgrade/compatibility impact

Existing users of cyrus-sasl-ntlm will need to authenticate using a different mechanism.

How To Test

This will only affect a narrow set of users. It will be an exercise for the end-user to determine which mechanism(s) may be a suitable replacement.

User Experience

This will not be visible to users that aren't using cyrus-sasl-ntml. It will be very visible to those that are as they will have to revise their authentication configuration in order to upgrade or install the cyrus-sasl package.

Dependencies

None.

Contingency Plan

The proposal involves removing a subpackage from the spec file. There backup plan is to not do it.

Documentation

This was removed in upstream PR https://github.com/cyrusimap/cyrus-sasl/issues/708

Release Notes