cisco & krb5

Kevin Coffman kwc at citi.umich.edu
Wed Mar 24 11:53:15 EST 2004 

Mahai,
There is a "-e" option to the ktadd command to limit the keys generated 
for the principal (and placed in the keytab file).

You want to do something like:

kadmin> ktadd -e des-cbc-crc:normal your/principal at YOUR.REALM

K.C.


> Mahai,
> 
> I am not familiar with the ktadd utility that exports two keys into a keytab. Our KDC key table management utility does not work this way. Is it possible using your key table management utility to remove a specific key from the table ?
> 
> Sorry, but I cannot help with MIT specifics with regards to key table management - our product is not based on MIT code, but conforms to the same RFC's and Internet drafts. Maybe somebody else on this list can help you on this bit ?
> 
> Thanks, Tim.
> 
> -----Original Message-----
> From: Mihai RUSU [mailto:dizzy at roedu.net] 
> Sent: 24 March 2004 15:17
> To: Kerberos at mit.edu
> Subject: RE: cisco & krb5
> 
> On Wed, 24 Mar 2004, Tim Alsop wrote:
> 
> > Mahai,
> > 
> > I cannot see any issue with creating a service principal in KDC and
> > extracting a DES-CBC key into a keytab, then using this keytab on the
> > CISCO router. When you do this the user principal must also use
> > DES-CBC-CRC or DES-CBC-MD5 etype.
> 
> The user principal (acording to klist -e) is "DES cbc mode with CRC-32, 
> Triple DES cbc mode with HMAC/sha1" so here it seems to be ok to have the 
> user principal with both DES and 3DES keys.
> 
> > It is not clear to me what you mean by having principals using
> > DES3-<something> ? Which principal do you refer to (user or service) ?
> > Can you give a specific example to help me understand what you are
> > trying to do ?
> 
> Ok, sorry for not giving all the details. First it should be noted that my 
> kerberos experience is pretty small so I might confuse terms etc. But what 
> I ment to say is that when exporting keys (with ktadd) from kadmin by 
> default it exports for both DES and 3DES. Problem was (I think) that the 
> 3DES is exported "first" in the keytab file than the DES one. When I 
> issued "kerberos srvtab remote" on the cisco device it said that it had 
> duplicat keys in the keytab file and that it "discarded" one of them (my 
> tests prove that the second one, ie the DES one was discarded). So it 
> couldnt decrypt the tickets encrypted from its own service key from the 
> KDC. When I modified krb5.conf and kdc.conf to use only DES, recreated the 
> service principal, reuploaded to the cisco device it worked (but as you 
> see I havent touched the user principal which was created with the default 
> options).
> 
> So what Im asking is how to either export only the DES key or some way to 
> remove the 3DES key from a file with both DES and 3DES keys exported (of 
> the same principal, the service principal).
> 
> > Tim.
> 
> -- 
> Mihai RUSU                                    Email: dizzy at roedu.net
> GPG : http://dizzy.roedu.net/dizzy-gpg.txt    WWW: http://dizzy.roedu.net
>                        "Linux is obsolete" -- AST
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list