[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: telnet: Encrypting the session key

To: "Ted Percival" <Ted.Percival@quest.com>
Subject: Re: telnet: Encrypting the session key
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Tue, 30 May 2006 16:48:53 +0200
Cc: <heimdal-discuss@sics.se>
In-Reply-To: <4185301D58776E4E9A26D10F82232F7803B069@melmbxw01.prod.quest.corp> (TedPercival's message of "Fri, 26 May 2006 18:21:49 +1000")
References: <4185301D58776E4E9A26D10F82232F7803B069@melmbxw01.prod.quest.corp>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/22.0.50 (darwin)

"Ted Percival" <Ted.Percival@quest.com> writes:

> I was building Heimdal's telnet (and several other apps) with a krb5
> implementation that only uses ARCFOUR tickets, not DES tickets. The first
> change was in appl/telnet/libtelnet/kerberos5.c:247, changing KEYTYPE_DES
> to KEYTYPE_ARCFOUR. I ran into a problem where the client's data showed
> up garbled on the server. The reason turned out to be a keytype check in
> appl/telnet/ libtelnet/kerberos5.c. kerberos5_reply() calls
> encrypt_session_key() regardless of keytype, but kerberos5_is() only
> encrypts it in the following case:

I thought that the telnet standard only supported DES and tripple DES, of
which heimdal only support the DES case. Jeffery Altman might know more
about that.

One problem is that Heimdal is not that good at returning sensable
enctypes, in both AS-REQ and TGS-REQ. Does Windows Kerberos server doesn't
support arcfour enctype for the ticket, with single-des for the session
key?

Want I want to see it more people stop using telnet and moving over to
ssh/gssapi (both userauth and kex-exchange).

Love

PGP signature

Follow-Ups:
- Re: telnet: Encrypting the session key
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- RE: telnet: Encrypting the session key
  - From: "Ted Percival" <Ted.Percival@quest.com>
- Re: telnet: Encrypting the session key
  - From: Harald Barth <haba@pdc.kth.se>

References:
- telnet: Encrypting the session key
  - From: "Ted Percival" <Ted.Percival@quest.com>

Prev by Date: Re: Logging in service principal
Next by Date: Re: Can't change password anymore (Password is in the passworddictionary... what dictionary??)
Prev by thread: telnet: Encrypting the session key
Next by thread: Re: telnet: Encrypting the session key
Index(es):
- Date
- Thread