Getting single DES TGT[was Re: KDC: upgrade to 3DES]
Tim Alsop
Tim.Alsop at CyberSafe.Ltd.UK
Thu Apr 7 18:09:09 EDT 2005
If you use the CyberSafe adapter (also included in Oracle 8i and 9i) -
this adapter uses GSS-API and calls our library, which supports 3DES.
It looks like you have noticed that the Oracle ASO 'Kerberos' adapter
includes Kerberos code based on an old release of MIT libraries.
However, the 'CyberSafe' adapter included in ASO uses GSS-API, which
means the GSS-API/Kerberos library can be updated to support new ciphers
when available without effecting the Oracle software deployment - a much
better architecture, I am sure you will agree ?
Regards,
Tim Alsop
CyberSafe Limited
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Craig Huckabee
Sent: 07 April 2005 22:14
To: kerberos at mit.edu
Subject: Getting single DES TGT[was Re: KDC: upgrade to 3DES]
Hi all,
I saw this discussion on krb-dev on moving to 3DES support and wanted
to ask a similar question (hopefully more appropriately on this list).
We're trying to use the Advanced Security Option in Oracle 9.x/10.x
to enable Kerberos authentication - unfortunately, they don't support
3DES keys yet and won't for the near future. Our KDC is MIT 1.3.6
running on Linux.
I've been trying to force clients to ask only for des-cbc-crc TGTs,
but haven't been able to do so. A getprinc on the krbtgt principal for
my realm looks like:
Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 3, DES cbc mode with CRC-32, no salt
Key: vno 3, DES cbc mode with CRC-32, Version 4
But even when I set:
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
on the client, I get a des-cbc-crc session key, but a 3des tkt. This
happens with an MIT 1.3.6 kinit on Linux and Solaris.
Is the KDC just picking the first key type from the list of available
encryption types, despite what the client asks for ? Any suggestions
for testing this theory (I've done some ethereal sniffs which lead me to
think the KDC is at fault)?
Help, advice, even flames welcome at this point,
Craig
PS If you work from Oracle and are reading this, get back to work and
update your Kerberos base code!
-------- Original Message --------
Subject: Re: KDC: upgrade to 3DES
Date: Thu, 7 Apr 2005 08:38:07 -0400 (EDT)
From: Shivakeshav Santi <ss488 at cornell.edu>
To: Jeffrey Altman <jaltman at columbia.edu>
CC: krbdev at mit.edu
References: <20050405203823.63766.qmail at web41502.mail.yahoo.com>
<4252FC34.7010803 at columbia.edu>
Jeff,
Following are the answeres for the Qs:
1)did you rekey your principal (aka change your password?)
yes. Following is the output of getprinc :
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, DES cbc mode with CRC-32, Version 4
2)is your client restricting the requested enctypes in the krb5.conf
file?
it does allow des3-hmac-sha1 . Corresponding lines from krb5.conf :
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
3)does the client you are using support 3DES?
yes,I am using MIT kinit from krb51.3.4 .
Thanks for your help
> shivakeshav santi wrote:
>
>> HI,
>>
>> I am trying to upgrade the encryption type on the KDC to support
>> 3DES. I have made the relevant changes in krb5.conf and
>> kdc.conf(supported_enctypes,
>> kdc_supported_enctypes,default_tgs_enctypes,default_tkt_enctypes
>> :des3-hmac-sha1 des-cbc-crc)
>>
>> But when I use kinit , I only get the tickets with single des.
>> Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32
>>
>> Am I missing something.
>>
>> Thank you for your help.
>
> Just a few questions for you to answer:
>
> did you rekey your principal (aka change your password?)
>
> is your client restricting the requested enctypes in the krb5.conf
file?
>
> does the client you are using support 3DES?
>
> Jeffrey Altman
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
--
Shivakeshav Santi
Programmer Analyst/Senior
Cornell Information Technologies
120 Maple Avenue
Cornell University
Tel :6072551916(O)
Ability may get you to the top, but only character will keep you there
.....
_______________________________________________
krbdev mailing list krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list