[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal DES encryption!!
>>>>> On 23 Nov 1999,
>>>>> "Love" == Love wrote:
Love> firstname.lastname@example.org (Johan Danielsson) writes:
+> Szabo Szabolcs <email@example.com> writes:
+> > The CISCO routes use 40bits DES.
+> I doubt it. There is no defined way to use Kerberos with 40 bit
+> keys. It *could* leak bits when creating a session key, but that is
+> another story.
The 40bit DES you're referring to is not for Kerberos, it's for encrypted
tunnels and maybe something else. Cisco Kerberos does use 56-bit DES.
Love> In the latest release of IOS (oh well) for the 5500 contains krb5 support,
Love> but cisco in their almight glory decided that you can't decide who should
Love> be able to logging when using kerberos auth. If you have a instance, you
Love> can login. And when you are logged in you can do ``show kerberos'' and read
Love> the hostkey :(
The hostkey is not the hex value of the key; it is an 'encoded' value.
I'll leave it as an exercise to the reader to figure out how to determine
the encoding, but you can directly enter an encoded value in the CLI
instead of loading it via tftp. So you could enter this encoded value
on another router and perhaps use a test KDC to determine the key?
Sounds infeasible to me [+ easier ways to break in].
But as for being able to login, Cisco actually has this part right.
Kerberos provides authentication, not authorization. Once a principal's
identity is verified, to restrict logins you need to use
tacacs+/xtacacs/radius for authorization. Unfortunately, the 'secret'
for those protocols is directly visible in the UI.
Love> We solved it by using a new realm.
I tried this, but the headache of teaching users to manage multiple
realms in their c-cache wasn't worth it. If you already have a tacacs
server, I suggest using it for the authorization piece.
Love> Cisco Systems Console
Love> [ Trying KERBEROS5 ... ]
Love> [ Kerberos V5 accepts you as ``lha@LAN.E.KTH.SE'' ]
Love> [ Output is now encrypted with type DES_CFB64 ]
Love> [ Input is now decrypted with type DES_CFB64 ]
Love> Kerberos: Sending encrypted data.
Love> Kerberos: Receiving encrypted data.
Love> e-vax-c5500> show version
Love> WS-C5500 Software, Version McpSW: 5.2(1) NmpSW: 5.2(1)
Love> e-vax-c5500> show kerberos
Love> Kerberos Local Realm: LAN.E.KTH.SE
Love> Kerberos server entries:
Love> Realm: LAN.E.KTH.SE, Server: 188.8.131.52, Port: 750
Love> Kerberos Domain<->Realm entries:
Love> Domain: e.kth.se, Realm: LAN.E.KTH.SE
Love> Kerberos Clients NOT Mandatory
Love> Kerberos Credentials Forwarding Disabled
Love> Kerberos config key:
Love> Kerberos SRVTAB Entries
Love> Srvtab Entry 1: host/e-vax-c5500.lan.e.kth.se@LAN.E.KTH.SE \
Love> [version,host key,...]