cisco & krb5

Mihai RUSU dizzy at roedu.net
Wed Mar 24 10:17:18 EST 2004


On Wed, 24 Mar 2004, Tim Alsop wrote:

> Mahai,
> 
> I cannot see any issue with creating a service principal in KDC and
> extracting a DES-CBC key into a keytab, then using this keytab on the
> CISCO router. When you do this the user principal must also use
> DES-CBC-CRC or DES-CBC-MD5 etype.

The user principal (acording to klist -e) is "DES cbc mode with CRC-32, 
Triple DES cbc mode with HMAC/sha1" so here it seems to be ok to have the 
user principal with both DES and 3DES keys.

> It is not clear to me what you mean by having principals using
> DES3-<something> ? Which principal do you refer to (user or service) ?
> Can you give a specific example to help me understand what you are
> trying to do ?

Ok, sorry for not giving all the details. First it should be noted that my 
kerberos experience is pretty small so I might confuse terms etc. But what 
I ment to say is that when exporting keys (with ktadd) from kadmin by 
default it exports for both DES and 3DES. Problem was (I think) that the 
3DES is exported "first" in the keytab file than the DES one. When I 
issued "kerberos srvtab remote" on the cisco device it said that it had 
duplicat keys in the keytab file and that it "discarded" one of them (my 
tests prove that the second one, ie the DES one was discarded). So it 
couldnt decrypt the tickets encrypted from its own service key from the 
KDC. When I modified krb5.conf and kdc.conf to use only DES, recreated the 
service principal, reuploaded to the cisco device it worked (but as you 
see I havent touched the user principal which was created with the default 
options).

So what Im asking is how to either export only the DES key or some way to 
remove the 3DES key from a file with both DES and 3DES keys exported (of 
the same principal, the service principal).

> Tim.

-- 
Mihai RUSU                                    Email: dizzy at roedu.net
GPG : http://dizzy.roedu.net/dizzy-gpg.txt    WWW: http://dizzy.roedu.net
                       "Linux is obsolete" -- AST


More information about the Kerberos mailing list