Deprecate MD4 support? - Githubissues

haussli / draft-dahm-opsawg-tacacs-security

IETF draft for new tacacs+ security features

1 stars 1 forks source link

Deprecate MD4 support? #20

Closed haussli closed 3 years ago

haussli commented 3 years ago

Can we deprecate MD4 support? Is it worth the effort?

It is used primarily by MS-CHAP (rfc2433, 2759), we think.

td-tacacs commented 3 years ago

Yes for deprecating MD4 support

dcmgashcisco commented 3 years ago

Well... I'm happy to get rid of MS-CHAPv1, but MS-CHAPv2 (2759) is still useful for AD interoperability.

td-tacacs commented 3 years ago

Good argument, we definitely need to keep MS-CHAPv2 then.

dcmgashcisco commented 3 years ago

So as MS-CHAPv2 does require MD4 for the NT password hash. There should be no other place for MD4 in TACACS+ though, so if you don't need to do MSCHAPv2, then you can drop MD4 support.

td-tacacs commented 3 years ago

We should probably drop this comment somewhere in the text.

dcmgashcisco commented 3 years ago

Will not drop MD4 at this point as it is still required for MS-CHAP v2

dcmgashcisco commented 3 years ago

Updated document; included that MD4 will be kept for MS-CHAPv2