[Todd Kover <kovert@omniscient.com>] KfW and triple des problems

Sam Hartman hartmans at MIT.EDU
Fri Feb 15 18:26:21 EST 2002

I'm somewhat bothered that this doesn't work.  I can't think of
anything obvious the user is doing wrong.  We should test this on
Windows.  I can help with test realms that do 3des.

------- Start of forwarded message -------
Message-Id: <200202132230.g1DMUtmO025236 at guiness.omniscient.com>
To: kerberos at mit.edu
Subject: KfW and triple des problems
From: Todd Kover <kovert at omniscient.com>
Date: Wed, 13 Feb 2002 17:30:55 -0500

is anyone aware of problems with KfW 2.1.2 and triple des encryption?

[ This is all krb5.  I have no krb4 support turned on anymore. ]

I'm attempting to get WinCVS/cvs working with gserver against the 2.1.2
sdk and have been successful using keys in my age-old kdc (migrated
over from v4) which only has a des-cbc-crc key for the relevent service

	kadmin:  getprinc cvs/saidin.omniscient.com
	[ ... ]
	Number of keys: 1
	Key: vno 2, DES cbc mode with CRC-32, no salt

(The kdc is running 1.2.2 now but that's a change since the
abovementioned principal was created).

I'm able to interact with a cvs server linked against 1.2.2 sources
using this service key just fine.

Using the same cvs binary, but against a relatively newly configured cvs
server (initially installed under 1.2) the service side is complaining:

	"could not verify credentials"

with a cvs server similiarly linked against 1.2.2 libraries but with a
cvs/hostname principal in the kdc with key types:

	Number of keys: 2
	Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
	Key: vno 2, DES cbc mode with CRC-32, no salt

The odd thing is that when I have the windows box's krb5.ini file set

   default_tkt_enctypes = des-cbc-crc
   default_tgs_enctypes = des-cbc-crc

I can kinit against it fine from the windows box.  If I change this to:

   default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
   default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

kinit's fail.

This leads me to believe something is awry with the des3-hmac-sha1

It seems that the .ini file is ignored when grabbing service tickets
because the credentials cache on the windows box has both keys in it
when I attempt to use cvs, regardless of the config file. (this isn't

Does this ring any bells for anyone?  I haven't dug deeply into the code
just yet.  I figured I'd ask before I started to try to parse it and get
the encryption-induced headache I expect. :-)

windows 2000+sp2 if that makes a difference.  Everything's built with
Visual C++&&sp5.

Kerberos mailing list
Kerberos at mit.edu
------- End of forwarded message -------

More information about the krbdev mailing list