Kerberos packets appear to be larger

Jeremy Hunt jeremyh at optimation.com.au
Wed Aug 7 11:45:00 EDT 2013


Hi,

I am investigating upgrading our Kerberos from 1.8 to 1.11.

The transition has been reasonably smooth but we have one part of our 
system that has a buffer issue. It appears to choke on the returned 
AS_REP packet after an initial AS_REQ packet. It appears that the size 
of this AS_REP packet has grown from 1200 bytes to 1572 bytes, which is 
a fairly hefty increase.

This is a legacy system and still uses DES and triple DES. Each 
principal of the database has two keys, one des-cbc-crc and one 
des3-hmac-sha1. I have tried to shrink the packet size by restricting 
the enc types and checksums in the krb5.conf and kdc.conf.

The initial config has these entries in the libdefaults section of 
krb5.conf:
          allow_weak_crypto = true
         default_tkt_enctypes = des-cbc-crc des3-hmac-sha1
         default_tgs_enctypes = des-cbc-crc des3-hmac-sha1

... and also the following entries in the realms section of the kdc.conf:
                 supported_enctypes = des-cbc-crc:normal 
des3-hmac-sha1:normal
                 kdc_supported_enctypes = des-cbc-crc:normal 
des3-hmac-sha1:normal

As I stated before with kererbos 1.11, the size of the AS_REP packet has 
grown from 1200 bytes to 1572 bytes, I can tolerate packet lengths up to 
1332 bytes in length..

I have tried fiddling with the 'salt' types in the kdc.conf entries, and 
have tried various permutations of the following entries in krb5.conf:
         default_tkt_enctypes
         default_tgs_enctypes
         permitted_enctypes
         kdc_req_checksum_type
         ap_req_checksum_type
         safe_checksum_type

But nothing seems to shrink the returned packet size. Can anyone suggest 
how I can reduce the length of the returned AS_REP packet with the configs?

Thanks in advance,

Jeremy


More information about the Kerberos mailing list