Operating Systems & Kerbros

Sam Hartman hartmans at MIT.EDU
Fri Feb 14 11:38:09 EST 2003


>>>>> "Phil" == Phil Hirsch <pdh at us.ibm.com> writes:

    Phil> Second, IBM's docs say that if you want to configure a Sun
    Phil> SEAM client into a realm that's served by an IBM KDC, you
    Phil> must move the des3 entries to the ends of the lists in
    Phil> krb5.conf and kdc.conf on the server. If you don't do this,
    Phil> then the client's attempts to authenticate will result in
    Phil> preauthentication failures. 

Can you please update your documents to indicate that this
significantly decreases the security of your realm?  It has the effect
of prefering des instead of des3 for the service tickets issued among
other things.

The reason this security decrease is necessary is a rather unfortunate
bug in both the MIT KDC and the MIT client codebase. It's bug 1006 in
our database.

The only good news about this issue is that once the bug is fixed,
upgrading either the KDC or the client should be sufficient to work
around the problem.

--Sam


More information about the Kerberos mailing list