Getting single DES TGT[was Re: KDC: upgrade to 3DES]

Craig Huckabee huck at spawar.navy.mil
Thu Apr 7 19:00:06 EDT 2005 

Tim,

   Thanks for the idea - but looks like they dropped Cybersafe in 10g.   :(

   We were hoping to make this work on 8,9,&10.

--Craig


Tim Alsop wrote:
> If you use the CyberSafe adapter (also included in Oracle 8i and 9i) -
> this adapter uses GSS-API and calls our library, which supports 3DES.
> 
> It looks like you have noticed that the Oracle ASO 'Kerberos' adapter
> includes Kerberos code based on an old release of MIT libraries.
> However, the 'CyberSafe' adapter included in ASO uses GSS-API, which
> means the GSS-API/Kerberos library can be updated to support new ciphers
> when available without effecting the Oracle software deployment - a much
> better architecture, I am sure you will agree ?
> 
> Regards,
> 
> Tim Alsop
> CyberSafe Limited 
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Craig Huckabee
> Sent: 07 April 2005 22:14
> To: kerberos at mit.edu
> Subject: Getting single DES TGT[was Re: KDC: upgrade to 3DES]
> 
> Hi all,
> 
>    I saw this discussion on krb-dev on moving to 3DES support and wanted
> to ask a similar question (hopefully more appropriately on this list).
> 
>    We're trying to use the Advanced Security Option in Oracle 9.x/10.x
> to enable Kerberos authentication - unfortunately, they don't support
> 3DES keys yet and won't for the near future.  Our KDC is MIT 1.3.6
> running on Linux.
> 
>    I've been trying to force clients to ask only for des-cbc-crc TGTs,
> but haven't been able to do so.  A getprinc on the krbtgt principal for
> my realm looks like:
> 
>     Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
>     Key: vno 3, DES cbc mode with CRC-32, no salt
>     Key: vno 3, DES cbc mode with CRC-32, Version 4
> 
> But even when I set:
> 
>    default_tgs_enctypes = des-cbc-crc
>    default_tkt_enctypes = des-cbc-crc
> 
> on the client, I get a des-cbc-crc session key, but a 3des tkt.  This
> happens with an MIT 1.3.6 kinit on Linux and Solaris.
> 
>    Is the KDC just picking the first key type from the list of available
> encryption types, despite what the client asks for ?  Any suggestions
> for testing this theory (I've done some ethereal sniffs which lead me to
> think the KDC is at fault)?
> 
>    Help, advice, even flames welcome at this point,
>    Craig
> 
> PS  If you work from Oracle and are reading this, get back to work and
> update your Kerberos base code!
> 
> 
> 
> 
> -------- Original Message --------
> Subject: Re: KDC: upgrade to 3DES
> Date: Thu, 7 Apr 2005 08:38:07 -0400 (EDT)
> From: Shivakeshav Santi <ss488 at cornell.edu>
> To: Jeffrey Altman <jaltman at columbia.edu>
> CC: krbdev at mit.edu
> References: <20050405203823.63766.qmail at web41502.mail.yahoo.com> 
> <4252FC34.7010803 at columbia.edu>
> 
> 
> 
> Jeff,
> 
>     Following are the answeres for the Qs:
> 1)did you rekey your principal (aka change your password?)
>     yes. Following is the output of getprinc :
> 
>     Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
>     Key: vno 2, DES cbc mode with CRC-32, no salt
>     Key: vno 2, DES cbc mode with CRC-32, Version 4
> 
> 
> 2)is your client restricting the requested enctypes in the krb5.conf
> file?
>    it does allow des3-hmac-sha1 . Corresponding lines from krb5.conf :
>        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> 
> 
> 3)does the client you are using support 3DES?
> 
>    yes,I am using MIT kinit from krb51.3.4 .
> 
> Thanks for your help
> 
> 
> 
>>shivakeshav santi wrote:
>>
>>
>>>HI,
>>>
>>>   I am trying to upgrade  the encryption type on the KDC to support
>>>3DES. I have made the relevant changes in krb5.conf and
>>>kdc.conf(supported_enctypes,
>>>kdc_supported_enctypes,default_tgs_enctypes,default_tkt_enctypes
>>>:des3-hmac-sha1 des-cbc-crc)
>>>
>>>But when I use kinit , I only get the tickets with single des.
>>> Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
> 
> CRC-32
> 
>>>Am I missing something.
>>>
>>>Thank you for your help.
>>
>>Just a few questions for you to answer:
>>
>>did you rekey your principal (aka change your password?)
>>
>>is your client restricting the requested enctypes in the krb5.conf
> 
> file?
> 
>>does the client you are using support 3DES?
>>
>>Jeffrey Altman
>>_______________________________________________
>>krbdev mailing list             krbdev at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/krbdev
>>
> 
> 
>

More information about the Kerberos mailing list