UNIX GSS-API / Windows SSPI :
Jacques Lebastard
jacques.lebastard at evidian.com
Fri Sep 17 13:16:47 EDT 2004
Jeffrey Altman wrote:
> There is no need to nor should you set the tkt and tgs enctypes.
> MIT Kerberos 1.3 and higher support all of the enctypes used by
> the Windows Kerberos SSPI.
>
> If your service is running on Unix, then you must make sure that
> you create a keytab containing entries for each of the keys that
> Windows can produce for the SPN. (RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC).
> The DES enctypes will only be used if the account associated with
> the SPN is marked DES only.
How can I check this and, second question, how can I generate a keytab
with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC
crypto type:
[- /] crypto : Cryptosystem to use
[- /] crypto : is one of:
[- /] crypto : DES-CBC-CRC : for compatibility
[- /] crypto : DES-CBC-MD5 : default
Trying '-crypto RC4-HMAC' indicates that the SPN is marked for DES only
! How can I modify this ?
Thanks for your help,
>
> Jacques Lebastard wrote:
>
>>
>> Hi there,
>>
>> our client/server application uses either SSPI (Windows) or GSS-API
>> (UNIX) in order to establish a secure context.
>>
>> In order to make it work properly, I had to set specific encryption
>> types in the krb5.conf file of the UNIX server:
>>
>> [libdefaults]
>> default_tkt_enctypes = des-cbc-md5
>> default_tgs_enctypes = des-cbc-md5
>>
>> Does that mean that the established session keys are DES 64 bits
>> *ONLY* ? It sounds like a weak encryption...
>>
>> Are any other encryption types compatible between MIT and Windows
>> 2000/2003 (native) Kerberos implementations ?
>>
>
More information about the Kerberos
mailing list