removing Secure RPC DES authentication

Reply: Konstantin Belousov : "Re: removing Secure RPC DES authentication"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lexi Winter <ivy_at_freebsd.org>
Date: Sun, 17 Aug 2025 00:32:03 UTC
this is somewhat connected to the thread "ABI guarantees" but because
it's about a specific feature, i thought it would reduce noise to create
a new thread for it.

currently we include functions in libc to provide "Secure RPC", an
authenticated form of RPC that uses DES to secure inter-host traffic
and authenticate users across the network.  Secure RPC is a core part
of NIS+, an updated version of NIS/YP.

libc support for Secure RPC is not self-contained, but relies on an
external daemon called keyserv(8) to manage the key material.  this
daemon was removed from the base system in January (9dcb984251b3[0]),
at which point Secure RPC became non-functional: any attempt to use
it will return an error.

[0] https://cgit.freebsd.org/src/commit/?id=9dcb984251b3

the justification for this removal was that Secure RPC relies on DES,
which means it's not actually secure at all, and no one should use
it[1].  i find this perfectly reasonable, and no one has objected to
its removal.

[1] while it might have applications for retrocomputing, as far as i'm
    aware, every system that supports NIS+ also supports NIS/YP, and
    both provide equivalent security, so there is very little reason
    to deploy NIS+ nowadays.

later, since the related libc functions no longer worked, i removed
these and replaced them with stubs[2], meaning old applications would
continue to run, but new applications could not be linked with these
symbols.  kib@ objected to this change[3], so this was reverted[4].

[2] https://cgit.freebsd.org/src/commit/?id=7ac276298b72
[3] https://lists.freebsd.org/archives/dev-commits-src-main/2025-August/034755.html
[4] https://cgit.freebsd.org/src/commit/?id=837b13af68bd

i would like to discuss this with the aim of re-applying this change,
so we once again remove these functions and replace them with stubs.
my argument for this is:

* the functions don't work and will always fail; instead of shipping
  dead code that tries to make (local) network connections, we can
  achieve the same result by removing the code and returning the
  error early.

* the user cannot take keyserv(8) from an older release and build it
  on 15.0, because it relies on undocumented, private libc symbols
  that are not protected by the ABI guarantee and could be removed
  or broken at any time.  since we aren't providing compatibility
  here anyway, it's cleaner to remove the entire thing at once (in
  15.0) rather than encouraging users to rely on private APIs.

while i understand the desire to support backward compatibility for
applications, i see this as similar to removing Xerox XNS: that also
broke applications, because any application that relied on XNS stopped
working, but this was justified because XNS is an obsolete network
protocol.

similarly, DES authentication for RPC is an obsolete network protocol
that has also been overcome by events.