UNIX GSS-API / Windows SSPI :

Douglas E. Engert deengert at anl.gov
Fri Sep 17 15:25:28 EDT 2004 


Jacques Lebastard wrote:
> Jeffrey Altman wrote:
> 
> 
>>There is no need to nor should you set the tkt and tgs enctypes.
>>MIT Kerberos 1.3 and higher support all of the enctypes used by
>>the Windows Kerberos SSPI.
>>
>>If your service is running on Unix, then you must make sure that
>>you create a keytab containing entries for each of the keys that
>>Windows can produce for the SPN.  (RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC).
>>The DES enctypes will only be used if the account associated with
>>the SPN is marked DES only.
> 
> 
> How can I check this and, second question, how can I generate a keytab 
> with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC 
> crypto type:
> 

If you knew the password (or key) added to AD, you could try using ktutil,
instead of ktpass.
Use addent ... -e arcfour-hmac-md5

Ktutil let me create a keytab, I don't know if is correct.


> [- /]       crypto : Cryptosystem to use
> [- /]       crypto :  is one of:
> [- /]       crypto : DES-CBC-CRC : for compatibility
> [- /]       crypto : DES-CBC-MD5 : default
> 
> Trying '-crypto RC4-HMAC' indicates that the SPN is marked for DES only 
> ! How can I modify this ?
> 
> Thanks for your help,
> 
> 
>>Jacques Lebastard wrote:
>>
>>
>>>Hi there,
>>>
>>>our client/server application uses either SSPI (Windows) or GSS-API 
>>>(UNIX) in order to establish a secure context.
>>>
>>>In order to make it work properly, I had to set specific encryption 
>>>types in the krb5.conf file of the UNIX server:
>>>
>>>[libdefaults]
>>>        default_tkt_enctypes = des-cbc-md5
>>>        default_tgs_enctypes = des-cbc-md5
>>>
>>>Does that mean that the established session keys are DES 64 bits 
>>>*ONLY* ? It sounds like a weak encryption...
>>>
>>>Are any other encryption types compatible between MIT and Windows 
>>>2000/2003 (native) Kerberos implementations ?
>>>
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list