F40 Change Proposal: Deprecate_ntlm_in_cyrus_sasl (Self-Contained)


This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.


:link: Summary

NTLM has been deprecated for years and is obsolete. Support for it should be removed as a SASL mechanism. This is no longer supported by cyrus-sasl upstream. The cyrus-sasl-ntlm subpackage should be removed.

:link: Owner

:link: Detailed Description

NTLM authentication is a family of authentication protocols to authenticate users and computers. It has been supplanted by more secure protocols (e.g. Kerberos). Microsoft is removing support for NTLM in favor of Kerberos in Windows to boost security

Since 2010, Microsoft no longer recommends NTLM in applications:

Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy checks (CRC) or MD5 for integrity, and RC4 for encryption. Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM.

:link: Feedback

:link: Benefit to Fedora

The cyrus-sasl project dropped support for the ntlm plugin in July, 2023. This proposal removes an unsupported and insecure protocol. Without upstream support from upstream this plugin is potentially a heavy burden for Fedora packagers and a risk to security.

:link: Scope

  • Proposal owners:

Proposal owner: Deprecate cyrus-sasl-ntlm. This will allow for sub-package from the distribution in a future release.

  • Other developers:

    • There do not appear to be any packages that rely on cyrus-sasl-ntlm
  • Release engineering:

Some coordination may be necessary so the subpackage never appears in a given Fedora release. Ideally it is removed in rawhide before the Fedora-next fork.

  • Policies and guidelines: Release notes will be needed to announce the deprecation and removal.

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with Community Initiatives: N/A

:link: Upgrade/compatibility impact

Existing users of cyrus-sasl-ntlm will need to authenticate using a different mechanism.

:link: How To Test

This will only affect a narrow set of users. It will be an exercise for the end-user to determine which mechanism(s) may be a suitable replacement.

:link: User Experience

This will not be visible to users that aren’t using cyrus-sasl-ntml. It will be very visible to those that are as they will have to revise their authentication configuration in order to upgrade or install the cyrus-sasl package.

:link: Dependencies


:link: Contingency Plan

The proposal involves removing a subpackage from the spec file. There backup plan is to not do it.

:link: Documentation

This was removed in upstream PR Remove NTLM support · Issue #708 · cyrusimap/cyrus-sasl · GitHub

:link: Release Notes

This change proposal has now been submitted to FESCo with ticket #3159 for voting.

To find out more, please visit our Changes Policy documentation.