[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

telnet: Encrypting the session key

Title: telnet: Encrypting the session key

I was building Heimdal's telnet (and several other apps) with a krb5 implementation that only uses ARCFOUR tickets, not DES tickets. The first change was in appl/telnet/libtelnet/kerberos5.c:247, changing KEYTYPE_DES to KEYTYPE_ARCFOUR. I ran into a problem where the client's data showed up garbled on the server. The reason turned out to be a keytype check in appl/telnet/libtelnet/kerberos5.c. kerberos5_reply() calls encrypt_session_key() regardless of keytype, but kerberos5_is() only encrypts it in the following case:

497             if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
498                key_block->keytype == ETYPE_DES_CBC_MD4 ||
499                key_block->keytype == ETYPE_DES_CBC_CRC) {

The fix I have used so far is to add a check for
                   key_block->keytype == ETYPE_ARCFOUR_HMAC_MD5
to that list.

My question is whether this keytype check should be done at all, perhaps the session key should always be created & encrypted regardless, otherwise it is probably helpful for the Heimdal source to also create an encrypted session key for ETYPE_ARCFOUR_HMAC_MD5 by adding the same check to the if block shown above.

The Subversion source repository I'm using is available from http://rc.vintela.com/svn/repos/vas-apps/trunk/ (particularly the heimdal directory), the main change was made in revision 83.

-Ted Percival

(Sorry about this message being HTMLised, I wish I could disable it.)