Getting single DES TGT
Jeffrey Hutzelman
jhutz at cmu.edu
Fri Apr 8 13:48:07 EDT 2005
On Thursday, April 07, 2005 05:35:59 PM -0400 Sam Hartman
<hartmans at mit.edu> wrote:
> The best you can do is use the -e argument of the kvno program to
> request a des-cbc-crc ticket for the appropriate oracle service
> principal before you start Oracle.
The other thing you should do is file a TAR with Oracle on this issue,
describing the security and interoperability issues it causes for you and
asking them to fix the problem. The more people who report problems caused
by the use of such ancient Kerberos, the higher likelyhood they will fix it.
If you felt it was appropriate, you might point out that NIST is in the
process of withdrawing FIPS 46-3, after which federal agencies will not be
permitted to use single DES for the protection of federal information. The
full notice was published in the July 26, 2004 Federal Register (vol. 69,
no. 142, pp. 44509-44510) as docket number 040602169-4169-01.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list