[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal DES encryption!!

>>>>> On 23 Nov 1999,
>>>>> "Love" == Love wrote:

  Love> joda@pdc.kth.se (Johan Danielsson) writes:

  +> Szabo Szabolcs <szesz@andromeda.aszi.sztaki.hu> writes:

  +> > The CISCO routes use 40bits DES.

  +> I doubt it. There is no defined way to use Kerberos with 40 bit
  +> keys. It *could* leak bits when creating a session key, but that is
  +> another story.

The 40bit DES you're referring to is not for Kerberos, it's for encrypted
tunnels and maybe something else. Cisco Kerberos does use 56-bit DES.

  Love> In the latest release of IOS (oh well) for the 5500 contains krb5 support,
  Love> but cisco in their almight glory decided that you can't decide who should
  Love> be able to logging when using kerberos auth. If you have a instance, you
  Love> can login. And when you are logged in you can do ``show kerberos'' and read
  Love> the hostkey :(

The hostkey is not the hex value of the key; it is an 'encoded' value.
I'll leave it as an exercise to the reader to figure out how to determine
the encoding, but you can directly enter an encoded value in the CLI
instead of loading it via tftp. So you could enter this encoded value
on another router and perhaps use a test KDC to determine the key?
Sounds infeasible to me [+ easier ways to break in].

But as for being able to login, Cisco actually has this part right.
Kerberos provides authentication, not authorization. Once a principal's
identity is verified, to restrict logins you need to use
tacacs+/xtacacs/radius for authorization. Unfortunately, the 'secret'
for those protocols is directly visible in the UI.

  Love> We solved it by using a new realm.

I tried this, but the headache of teaching users to manage multiple
realms in their c-cache wasn't worth it. If you already have a tacacs
server, I suggest using it for the authorization piece.


  Love> Love

  Love> Cisco Systems Console

  Love> [ Trying KERBEROS5 ... ]
  Love> [ Kerberos V5 accepts you as ``lha@LAN.E.KTH.SE'' ]
  Love> [ Output is now encrypted with type DES_CFB64 ]
  Love> [ Input is now decrypted with type DES_CFB64 ]
  Love> Kerberos:       Sending encrypted data.
  Love> Kerberos:       Receiving encrypted data.

  Love> e-vax-c5500> show version
  Love> WS-C5500 Software, Version McpSW: 5.2(1) NmpSW: 5.2(1)
  Love> [..]
  Love> e-vax-c5500> show kerberos
  Love> Kerberos Local Realm: LAN.E.KTH.SE
  Love> Kerberos server entries:
  Love> Realm: LAN.E.KTH.SE,  Server:,  Port: 750

  Love> Kerberos Domain<->Realm entries:
  Love> Domain: e.kth.se,  Realm: LAN.E.KTH.SE

  Love> Kerberos Clients NOT Mandatory
  Love> Kerberos Credentials Forwarding Disabled
  Love> Kerberos config key:
  Love> Kerberos SRVTAB Entries
  Love> Srvtab Entry 1: host/e-vax-c5500.lan.e.kth.se@LAN.E.KTH.SE \
  Love> [version,host key,...]