[krbdev.mit.edu #1809] Krb5 Telnet[d] improperly truncates 3DES keys to DES key

[via RT]

In conversations with Ken H., it appears that NRL's implementation of
ENCRYPT 3DES-CFB-64 does not follow the rules of RFC 2947.  This means
that any combination of AUTH KRB5 with ENCRYPT other than single DES
session keys is simply a lost cause. 

It appears the only solution is to replace the AUTH KRB5 mechanism with
a new AUTH KRB5_ENCRYPT option which negotiates KRB5; closes the attack
against the unprotected AUTH USER message; and automatically turns on
encryption using the provided session key.