[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Enabling arcfour on Heimdal-0.6.3/OpenBSD
- To: Heimdal-discuss list <heimdal-discuss@sics.se>
- Subject: Enabling arcfour on Heimdal-0.6.3/OpenBSD
- From: Rogier Krieger <rkrieger@gmail.com>
- Date: Sat, 8 Oct 2005 13:31:47 +0200
- DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=EOn5PbceQHFWj1iCVoxxXQnN0NLKBrmrBL7C4zomXY4DCa8tfO4fZah1UcxpzYizfoUJ+sVP17FCyYTglun9MEHEhugRMDTNUQPoY17To3s7gacAn2zEWZBL3KdOjIhZveN8rpZZBKlpfcW7zlNBz/iz+E3FXd32FB33MJc2v4Q=
- Reply-To: Rogier Krieger <rkrieger@gmail.com>
- Sender: owner-heimdal-discuss@sics.se
Dear list,
After a few days of trying and fiddling with the configuration, it
seems my KDC (Heimdal-0.6.3/OpenBSD, on OpenBSD 3.7) now generates RC4
keys (as well als the 3DES and DES keys) for my new principals.
However, I don't seem to be able to get my krbtgt/* and kadmin/*
principals to also obtain arcfour keys. This seems to be the case both
when using kadmin to init the realm and when trying to change the
principals in question.
Although my KDC is primarily targeted at Unix machines and services, I
would like to also be able to service a number of WinXP Pro
workstations. When importing the tickets into KfW, I only see
DES-based TGTs (DES-CBC-MD5). My host/workstation principals properly
show up (in KfW) with RC4-HMAC-NT keys.
Is there a way to enable/create RC4-based keys for my krbtgt and
kadmin principals? I seem to be unable to find it in the various
archives. To be on the safe side of debugging, I have my configuration
copied (using symlinks) to the various locations on the system.
Insight is greatly appreciated. Thanks in advance,
Rogier
Contents of my /var/heimdal/kdc.conf:
-+-+-+-+-+-
[libdefaults]
# Set the realm of this host here
default_realm = WEP.TUDELFT.NL
# Maximum allowed time difference between KDC and this host
clockskew = 300
# Uncomment this if you run NAT on the client side of kauth.
# This may be considered a security issue though.
# no-addresses = yes
# Use a broad range of encryption types
default_etypes = des-cbc-crc, des-cbc-md4, des-cbc-md5,
des3-cbc-sha1, arcfour-hmac-md5
#aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
[realms]
WEP.TUDELFT.NL = {
# Specify KDC here
kdc = kerberos.wep.local
# Administration server, used for creating users etc.
admin_server = kerberos.wep.local
}
# This sections describes how to figure out a realm given a DNS name
[domain_realm]
.wep.local = WEP.TUDELFT.NL
[kadmin]
default_keys = v5 arcfour-hmac-md5:pw-salt:
[logging]
kdc = SYSLOG:INFO:DAEMON
kadmind = SYSLOG:INFO:DAEMON
kpasswdd = SYSLOG:INFO:DAEMON
default = SYSLOG:INFO:DAEMON
-+-+-+-+-+-
--
If you don't know where you're going, any road will get you there.