More on enctypes vs. VPN
John Hascall
john at iastate.edu
Sun Oct 12 11:39:47 EDT 2003
Thanks all for the help in getting me this far.
(by using:
supported_enctypes = des-cbc-md5:normal des-cbc-md5:norealm \
des-cbc-md5:onlyrealm des-cbc-crc:v4
in my kdc.conf).
Now, in my kdc.log I'm seeing these requests from the VPN server:
Oct 10 06:59:35 kerberos-1.iastate.edu krb5kdc[9196](info): \
AS_REQ (7 etypes {3 1 2 16 8 23 0}) 129.186.97.220(88): \
ISSUE: authtime 1065787175, etypes {rep=3 tkt=1 ses=1}, \
janeuser at IASTATE.EDU for krbtgt/IASTATE.EDU at IASTATE.EDU
I assume the 'AS_REQ (7 etypes ...' means it will accept keys with any
of those 7 enctypes. (I have no idea what enctype 23 is as it is not
in krb5.h but I'll assume that is unimportant.)
The reply 'ISSUE: ... etypes {rep=3 tkt=1 ses=1}' is not something
I understand completely though (and it seems to be unacceptable
to the VPN).
I assume that means that:
* the reply itself is encrypted using ENCTYPE_DES_CBC_MD5(#3),
* the ticket inside the reply is using ENCTYPE_DES_CBC_CRC(#1),
* as is the session key
Correct?
How is it decided what enctype is used for the
reply, ticket, and session key?
Is it a reasonable guess that the VPN wants the tkt to be enctype#3 too?
If so, how to make this happen?
Thanks,
John
More information about the Kerberos
mailing list