[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Enabling arcfour on Heimdal-0.6.3/OpenBSD



On 10/13/05, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:
> You can edit dumpfile entries and merge the changes back.
<snip>
> You can use add --random-password instead of add -r.

Both suggestions (of using --random-password and editing the dump
file) seemed to work fine for me on the KDC end. Thanks for the
pointers; they're much appreciated.

I do wonder whether my WinXP workstation still obtains a TGT at
DES-CBC-MD5 and a host-ticket at RC4-HMAC, even if my principals all
have rc4-hmac keys belonging to them. Am I right to blame WinXP on
this issue? I'm inclined to do so after digging through the MS KB
documents detailing only DES. Yet, puzzlingly enough, my host ticket
is an RC4 one, so perhaps I'm wrong here.

I included my credential cache listings below for illustration. These
were obtained from my MS credential cache (which I import to KfW Leash
at startup).

Cached Tickets: (2)
   Server: krbtgt/WEP.TUDELFT.NL@WEP.TUDELFT.NL
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 10/24/2005 21:30:08
      Renew Time: 11/16/2005 21:30:08

   Server: host/valhalla.wep.local@WEP.TUDELFT.NL
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 10/18/2005 21:30:08
      Renew Time: 10/24/2005 21:30:08


> You can upgrade to 0.7.x.

True, although in principle, I prefer to stick with the in-base
components (of OpenBSD) if they do the job. This choice is primarily
based upon ease of maintenance and/or patching the system. Of course,
there are exceptions.

Perhaps it's time for me to (help) work on integrating 0.7.x into the
OpenBSD tree. If the functionality is sufficient, I normally stick
with versions for a while and figure out my preferred upgrade path.

Thanks in advance,

Rogier

--
If you don't know where you're going, any road will get you there.