[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cisco enctypes trouble
>>>>> On Thu, 25 Nov 1999, "Jakob" == Jakob Schlyter wrote:
Jakob> I've just added one of our cisco routers (runnig IOS 12.0(7) into
Jakob> my kerberos5 test realm. I made some observations I'd like som
Jakob> comments on...
Jakob> 1. Plain 'kinit' gets a des3-cbc-sha1 TGT which does not work
Jakob> with cisco.
You must also be getting a des3-cbc-sha1 service ticket; I think another
followup discusses this.
Jakob> 2. 'kinit -e des-cbc-crc' does work.
Jakob> 3. heimdal 'telnet' gets a des-cbc-md5 ticket for the router.
Jakob> This does not work.
Cisco has a broken des-cbc-md5. Cisco's implementation is based on older
Cybersafe code, which was based on MIT earlier than beta5. des-cbc-md5
was incorrectly implemented in that code. [I understand the newer
Cybersafe code is correct, but I haven't been able to test this.]
I will be putting pressure on Cisco in 1Q00 to correct their des-cbc-md5.
I wouldn't expect a fix until 3Q00, if at all.