cisco & krb5
Mihai RUSU
dizzy at roedu.net
Wed Mar 24 10:17:18 EST 2004
On Wed, 24 Mar 2004, Tim Alsop wrote:
> Mahai,
>
> I cannot see any issue with creating a service principal in KDC and
> extracting a DES-CBC key into a keytab, then using this keytab on the
> CISCO router. When you do this the user principal must also use
> DES-CBC-CRC or DES-CBC-MD5 etype.
The user principal (acording to klist -e) is "DES cbc mode with CRC-32,
Triple DES cbc mode with HMAC/sha1" so here it seems to be ok to have the
user principal with both DES and 3DES keys.
> It is not clear to me what you mean by having principals using
> DES3-<something> ? Which principal do you refer to (user or service) ?
> Can you give a specific example to help me understand what you are
> trying to do ?
Ok, sorry for not giving all the details. First it should be noted that my
kerberos experience is pretty small so I might confuse terms etc. But what
I ment to say is that when exporting keys (with ktadd) from kadmin by
default it exports for both DES and 3DES. Problem was (I think) that the
3DES is exported "first" in the keytab file than the DES one. When I
issued "kerberos srvtab remote" on the cisco device it said that it had
duplicat keys in the keytab file and that it "discarded" one of them (my
tests prove that the second one, ie the DES one was discarded). So it
couldnt decrypt the tickets encrypted from its own service key from the
KDC. When I modified krb5.conf and kdc.conf to use only DES, recreated the
service principal, reuploaded to the cisco device it worked (but as you
see I havent touched the user principal which was created with the default
options).
So what Im asking is how to either export only the DES key or some way to
remove the 3DES key from a file with both DES and 3DES keys exported (of
the same principal, the service principal).
> Tim.
--
Mihai RUSU Email: dizzy at roedu.net
GPG : http://dizzy.roedu.net/dizzy-gpg.txt WWW: http://dizzy.roedu.net
"Linux is obsolete" -- AST
More information about the Kerberos
mailing list