[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal DES encryption!!

joda@pdc.kth.se (Johan Danielsson) writes:

> Szabo Szabolcs <szesz@andromeda.aszi.sztaki.hu> writes:
> > The CISCO routes use 40bits DES.
> I doubt it. There is no defined way to use Kerberos with 40 bit
> keys. It *could* leak bits when creating a session key, but that is
> another story.

In the latest release of IOS (oh well) for the 5500 contains krb5 support,
but cisco in their almight glory decided that you can't decide who should
be able to logging when using kerberos auth. If you have a instance, you
can login. And when you are logged in you can do ``show kerberos'' and read
the hostkey :(

We solved it by using a new realm.


Cisco Systems Console

[ Trying KERBEROS5 ... ]
[ Kerberos V5 accepts you as ``lha@LAN.E.KTH.SE'' ]
[ Output is now encrypted with type DES_CFB64 ]
[ Input is now decrypted with type DES_CFB64 ]
Kerberos:       Sending encrypted data.
Kerberos:       Receiving encrypted data.

e-vax-c5500> show version
WS-C5500 Software, Version McpSW: 5.2(1) NmpSW: 5.2(1)
e-vax-c5500> show kerberos
Kerberos Local Realm: LAN.E.KTH.SE 
Kerberos server entries: 
Realm: LAN.E.KTH.SE,  Server:                           ,  Port: 750

Kerberos Domain<->Realm entries: 
Domain: e.kth.se,  Realm: LAN.E.KTH.SE 

Kerberos Clients NOT Mandatory
Kerberos Credentials Forwarding Disabled
Kerberos config key: 
Kerberos SRVTAB Entries 
Srvtab Entry 1: host/e-vax-c5500.lan.e.kth.se@LAN.E.KTH.SE \
[version,host key,...]