[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Enabling arcfour on Heimdal-0.6.3/OpenBSD

W2K3 SP1 can use RC4 for cross-realm with a non-windows kdc.  There's a  
check box somewhere for using des-cbc-md5 that you need to *not* check,  
I've heard.  (Previously you had to check it or it wouldn't work.)

On Oct 17, 2005, at 2:13 PM, Rogier Krieger wrote:

> On 10/13/05, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:
>> You can edit dumpfile entries and merge the changes back.
> <snip>
>> You can use add --random-password instead of add -r.
> Both suggestions (of using --random-password and editing the dump
> file) seemed to work fine for me on the KDC end. Thanks for the
> pointers; they're much appreciated.
> I do wonder whether my WinXP workstation still obtains a TGT at
> DES-CBC-MD5 and a host-ticket at RC4-HMAC, even if my principals all
> have rc4-hmac keys belonging to them. Am I right to blame WinXP on
> this issue? I'm inclined to do so after digging through the MS KB
> documents detailing only DES. Yet, puzzlingly enough, my host ticket
> is an RC4 one, so perhaps I'm wrong here.
> I included my credential cache listings below for illustration. These
> were obtained from my MS credential cache (which I import to KfW Leash
> at startup).
> Cached Tickets: (2)
>       KerbTicket Encryption Type: Kerberos DES-CBC-MD5
>       End Time: 10/24/2005 21:30:08
>       Renew Time: 11/16/2005 21:30:08
>    Server: host/valhalla.wep.local@WEP.TUDELFT.NL
>       KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>       End Time: 10/18/2005 21:30:08
>       Renew Time: 10/24/2005 21:30:08
>> You can upgrade to 0.7.x.
> True, although in principle, I prefer to stick with the in-base
> components (of OpenBSD) if they do the job. This choice is primarily
> based upon ease of maintenance and/or patching the system. Of course,
> there are exceptions.
> Perhaps it's time for me to (help) work on integrating 0.7.x into the
> OpenBSD tree. If the functionality is sufficient, I normally stick
> with versions for a while and figure out my preferred upgrade path.
> Thanks in advance,
> Rogier
> --
> If you don't know where you're going, any road will get you there.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu