More on enctypes vs. VPN
Garrett Wollman
wollman at lcs.mit.edu
Sun Oct 12 23:54:58 EDT 2003
In article <200310130024.TAA23718 at pvtest.ait.iastate.edu>,
John Hascall <john at iastate.edu> wrote:
> It's not old VPN software, it's some new thing from cisco.
This is a semi-documented limitation in the Cisco VPN server software.
I have been complaining about it to our Cisco SE to no avail. (Aside
to Sam: Jeff just bought a couple of these. Can you ask him what, if
anything, he did about this?) Apparently, des-cbc-md5 is the only
enctype AD supports, and that's the only one they are ever going to
implement. (This is obviously insane, since they already have all of
the necessary crypto primitives to implement des3-cbc-sha1 which is
what our KDC is doing by default.)
If it helps any, John: I was able to get our VPN 3005 to authenticate
simply by changing a test user's password with a keytype of
des-cbc-md5; while this doesn't help the rest of our users, it
definitely demonstrates that the bug is in Cisco's handling of the
initial AS reply. (This makes sense, since the thing doesn't verify
tickets; it has no host key.)
-GAWollman
--
Garrett A. Wollman | As the Constitution endures, persons in every
wollman at lcs.mit.edu | generation can invoke its principles in their own
Opinions not those of| search for greater freedom.
MIT, LCS, CRS, or NSA| - A. Kennedy, Lawrence v. Texas, 539 U.S. ___ (2003)
More information about the Kerberos
mailing list