[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cisco enctypes trouble

To: Jakob Schlyter <jakob@cdg.chalmers.se>
Subject: Re: cisco enctypes trouble
From: Frank Cusack <fcusack@iconnet.net>
Date: Fri, 26 Nov 1999 23:50:54 -0800
Cc: heimdal-discuss@sics.se
In-reply-to: jakob's message of Thu, 25 Nov 1999 22:27:16 +0100. <Pine.GSO.4.21.9911252205090.12400-100000@wentzl.cdg.chalmers.se>
Sender: owner-heimdal-discuss@sics.se


>>>>> On Thu, 25 Nov 1999, "Jakob" == Jakob Schlyter wrote:

  Jakob> Hi,

  Jakob> I've just added one of our cisco routers (runnig IOS 12.0(7) into
  Jakob> my kerberos5 test realm. I made some observations I'd like som
  Jakob> comments on...

  Jakob> 1. Plain 'kinit' gets a des3-cbc-sha1 TGT which does not work
  Jakob> with cisco.

You must also be getting a des3-cbc-sha1 service ticket; I think another
followup discusses this.

  Jakob> 2. 'kinit -e des-cbc-crc' does work.

  Jakob> 3. heimdal 'telnet' gets a des-cbc-md5 ticket for the router.
  Jakob> This does not work.

Cisco has a broken des-cbc-md5. Cisco's implementation is based on older
Cybersafe code, which was based on MIT earlier than beta5. des-cbc-md5
was incorrectly implemented in that code. [I understand the newer
Cybersafe code is correct, but I haven't been able to test this.]

I will be putting pressure on Cisco in 1Q00 to correct their des-cbc-md5.
I wouldn't expect a fix until 3Q00, if at all.

~f

References:
- cisco enctypes trouble
  - From: Jakob Schlyter <jakob@cdg.chalmers.se>

Prev by Date: Re: cisco enctypes trouble
Next by Date: Re: Authorization
Prev by thread: Re: cisco enctypes trouble
Next by thread: Heimdal 0.2d using W2k KDC
Index(es):
- Date
- Thread