KfW and triple des problems

Todd Kover kovert at omniscient.com
Wed Feb 13 17:30:55 EST 2002 

is anyone aware of problems with KfW 2.1.2 and triple des encryption?

[ This is all krb5.  I have no krb4 support turned on anymore. ]

I'm attempting to get WinCVS/cvs working with gserver against the 2.1.2
sdk and have been successful using keys in my age-old kdc (migrated
over from v4) which only has a des-cbc-crc key for the relevent service
principal:

	kadmin:  getprinc cvs/saidin.omniscient.com
	[ ... ]
	Number of keys: 1
	Key: vno 2, DES cbc mode with CRC-32, no salt

(The kdc is running 1.2.2 now but that's a change since the
abovementioned principal was created).

I'm able to interact with a cvs server linked against 1.2.2 sources
using this service key just fine.

Using the same cvs binary, but against a relatively newly configured cvs
server (initially installed under 1.2) the service side is complaining:

	"could not verify credentials"

with a cvs server similiarly linked against 1.2.2 libraries but with a
cvs/hostname principal in the kdc with key types:

	Number of keys: 2
	Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
	Key: vno 2, DES cbc mode with CRC-32, no salt

The odd thing is that when I have the windows box's krb5.ini file set
with:

   default_tkt_enctypes = des-cbc-crc
   default_tgs_enctypes = des-cbc-crc

I can kinit against it fine from the windows box.  If I change this to:

   default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
   default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

kinit's fail.

This leads me to believe something is awry with the des3-hmac-sha1
support.

It seems that the .ini file is ignored when grabbing service tickets
because the credentials cache on the windows box has both keys in it
when I attempt to use cvs, regardless of the config file. (this isn't
surprising).

Does this ring any bells for anyone?  I haven't dug deeply into the code
just yet.  I figured I'd ask before I started to try to parse it and get
the encryption-induced headache I expect. :-)

windows 2000+sp2 if that makes a difference.  Everything's built with
Visual C++&&sp5.

thanks,
-Todd

More information about the Kerberos mailing list