Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Oct 22 11:50:29 EDT 2003

>I have a problem with fakeka. I want to run it on a KDC which encrypts 
>it's master key with DES3-HMAC-SHA1. I checked the source code of fakeka 
>and see that it only supports DES-CBC-CRC. Does there be a special 
>reason to not add a switch -e which accepts the options des and des3?

As Sam has already pointed out, this is a bug.  Which just goes to show
you the dangers of copying code and things change from underneath you;
I believe I got this code from the the KDC, but the KDC code has changed
in the interim.  And of course since it's near impossible to change the
master key, I never ran into this problem myself.

You know ... this is just used to initialize the V4 random number
generator library.  This should actually be easy to fix.  If you look
at the code surrounding the call to des_random_number_init() in the
kdc/main.c, you can see the sort of thing you want to put in that same
section.  Unfortunately, I'm a bit busy right now to cook up a patch
for this for the next few weeks.

>It is really easy to change the source code and to add the option (only 
>another case statement and an additional variable) but I'm not sure 
>about the side effects. The function get_princ_key includes a comment 
>which explicitly enforces DES. Is there be a problem with DES3 and AFS 
>(or better clients which think they talk with kaserver)?

This is a different issue; if you're using fakeka, your clients (and the
AFS fileserver) need single-DES keys.  There's currently no way around
this one.


More information about the Kerberos mailing list