[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cisco enctypes trouble

>>>>> On Thu, 25 Nov 1999, "Jakob" == Jakob Schlyter wrote:

  Jakob> Hi,

  Jakob> I've just added one of our cisco routers (runnig IOS 12.0(7) into
  Jakob> my kerberos5 test realm. I made some observations I'd like som
  Jakob> comments on...

  Jakob> 1. Plain 'kinit' gets a des3-cbc-sha1 TGT which does not work
  Jakob> with cisco.

You must also be getting a des3-cbc-sha1 service ticket; I think another
followup discusses this.

  Jakob> 2. 'kinit -e des-cbc-crc' does work.

  Jakob> 3. heimdal 'telnet' gets a des-cbc-md5 ticket for the router.
  Jakob> This does not work.

Cisco has a broken des-cbc-md5. Cisco's implementation is based on older
Cybersafe code, which was based on MIT earlier than beta5. des-cbc-md5
was incorrectly implemented in that code. [I understand the newer
Cybersafe code is correct, but I haven't been able to test this.]

I will be putting pressure on Cisco in 1Q00 to correct their des-cbc-md5.
I wouldn't expect a fix until 3Q00, if at all.