Re: Heimdal with Solaris 8 clients, amonst other things

[joda@pdc.kth.se (Johan Danielsson)]

"Tim Bishop" <tim-lists@bishnet.net> writes:

> DES3 with MD5 did seem odd. In fact, we only got there by a bit of fiddling.
> I've actually told the Solaris 8 client to use "des3-cbc-sha" (not
> des3-cbc-sha1) but according to heimdal it's sending "des3-cbc-md5". I can't
> seem to get it to send any other des3 types.

Aha, oho. I think this is some non-standard DES3 using SHA1, but
without the key-derivation stuff that's required for real
des3-cbc-sha1. It might correspond to the "old-des3-cbc-sha1" enctype
(that we have as 7).

If you *really* want this to work, you could probably swap these two
enctypes (in lib/asn1/k5.asn1), and recompile your kdc. Don't know if
it's worth the trouble.

> Mine has a '1' between the ::. I guess this should imply it's
> encrypted?

Yes.

> However moving the key out of the way doesn't cause any problems
> starting up. Again, more debugging output might be useful.. eg:
> "using master key to decrypt database".

Well, the thing is that you may have any number of master keys active
at any time. It should complain if it can't decrypt a key though.

/Johan