Re: Heimdal DES encryption!!

[Ken Hornstein <kenh@cmf.nrl.navy.mil>]

>The hostkey is not the hex value of the key; it is an 'encoded' value.
>I'll leave it as an exercise to the reader to figure out how to determine
>the encoding, but you can directly enter an encoded value in the CLI
>instead of loading it via tftp. So you could enter this encoded value
>on another router and perhaps use a test KDC to determine the key?
>Sounds infeasible to me [+ easier ways to break in].

Actually ... as I understood it from a cisco employee, it's pretty much
a straight translation of the host key into a printable format (just not
hex).  So if you grab it, you could then masquerade as anyone to
that router.  Although .... I thought the key for the router was only
available to the cisco "superuser" equivalant.  I believe under some
weird cases (like you have the domestic release and you do some
additional magic) then it gets "hidden" by even the UI.

>But as for being able to login, Cisco actually has this part right.
>Kerberos provides authentication, not authorization. Once a principal's
>identity is verified, to restrict logins you need to use
>tacacs+/xtacacs/radius for authorization. Unfortunately, the 'secret'
>for those protocols is directly visible in the UI.

I believe we just create local login accounts; seems to work reasonably
well.

--Ken