Getting single DES TGT

[Sam Hartman]

>>>>> "Craig" == Craig Huckabee <huck at spawar.navy.mil> writes:

    Craig> Hi all, I saw this discussion on krb-dev on moving to 3DES
    Craig> support and wanted to ask a similar question (hopefully
    Craig> more appropriately on this list).

    Craig>    We're trying to use the Advanced Security Option in
    Craig> Oracle 9.x/10.x to enable Kerberos authentication -
    Craig> unfortunately, they don't support 3DES keys yet and won't
    Craig> for the near future.  Our KDC is MIT 1.3.6 running on
    Craig> Linux.

    Craig>    I've been trying to force clients to ask only for
    Craig> des-cbc-crc TGTs, but haven't been able to do so.  A
    Craig> getprinc on the krbtgt principal for my realm looks like:

    Craig>     Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
    Craig> Key: vno 3, DES cbc mode with CRC-32, no salt Key: vno 3,
    Craig> DES cbc mode with CRC-32, Version 4

    Craig> But even when I set:

    Craig>    default_tgs_enctypes = des-cbc-crc default_tkt_enctypes
    Craig> = des-cbc-crc

    Craig> on the client, I get a des-cbc-crc session key, but a 3des
    Craig> tkt.  This happens with an MIT 1.3.6 kinit on Linux and
    Craig> Solaris.

As you should.  it would be a security weakness for the client to be
able to influence the ticket key.  Besides a correctly written client
should not even notice the ticket key.

Unfortunately Oracle is not a correctly written client.  Their code
was based on MIT Kerberos from before the 1.0 release and is missing a
fix that is necessary to make multiple encryption types work.  Despite
several attempts to work with the Oracle developers, Oracle has not
seen the need to fix this bug.

The best you can do is use the -e argument of the kvno program to
request a des-cbc-crc ticket for the appropriate oracle service
principal before you start Oracle.


--Sam