[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal DES encryption!!
>>>>> On Tue, 23 Nov 1999, "Ken" == Ken Hornstein wrote:
+> The hostkey is not the hex value of the key; it is an 'encoded'
+> value. I'll leave it as an exercise to the reader to figure out how
+> to determine the encoding, but you can directly enter an encoded
+> value in the CLI instead of loading it via tftp. So you could enter
+> this encoded value on another router and perhaps use a test KDC to
+> determine the key? Sounds infeasible to me [+ easier ways to break
Ken> Actually ... as I understood it from a cisco employee, it's pretty
Ken> much a straight translation of the host key into a printable format
Well, yeah. It's an 'encoding'. Not an encryption, hash, or other
fancier sounding word. :)
Ken> (just not hex). So if you grab it, you could then masquerade as
Ken> anyone to that router. Although .... I thought the key for the
Ken> router was only available to the cisco "superuser" equivalant. I
Anyone that can do a 'wr t' or 'sh run' can see it. By default the
non-superuser cannot do this. But these commands can be allowed
arbitrarily by users. Typically you would allow low level users to
use commands like this (non destructive/volatile commands).
Ken> believe under some weird cases (like you have the domestic release
Ken> and you do some additional magic) then it gets "hidden" by even the
hmm... Never heard of that. I would tend to think this isn't correct
as you typically can restore a config solely from the 'wr t' output.
+> But as for being able to login, Cisco actually has this part
+> right. Kerberos provides authentication, not authorization. Once a
+> principal's identity is verified, to restrict logins you need to use
+> tacacs+/xtacacs/radius for authorization. Unfortunately, the 'secret'
+> for those protocols is directly visible in the UI.
Ken> I believe we just create local login accounts; seems to work
Ken> reasonably well.
Yup, that'll work too. Our environment has too many users, too much
churn, and too many devices to do that.