[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: telnet: Encrypting the session key

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: telnet: Encrypting the session key
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Tue, 30 May 2006 17:02:33 -0700
Cc: "Ted Percival" <Ted.Percival@quest.com>, <heimdal-discuss@sics.se>
In-Reply-To: <m2y7wjtvoq.fsf@nutcracker-2.local>
References: <4185301D58776E4E9A26D10F82232F7803B069@melmbxw01.prod.quest.corp> <m2y7wjtvoq.fsf@nutcracker-2.local>
Sender: owner-heimdal-discuss@sics.se


On May 30, 2006, at 7:48 AM, Love Hörnquist Åstrand wrote:

>
> "Ted Percival" <Ted.Percival@quest.com> writes:
>
>> I was building Heimdal's telnet (and several other apps) with a krb5
>> implementation that only uses ARCFOUR tickets, not DES tickets.  
>> The first
>> change was in appl/telnet/libtelnet/kerberos5.c:247, changing  
>> KEYTYPE_DES
>> to KEYTYPE_ARCFOUR. I ran into a problem where the client's data  
>> showed
>> up garbled on the server. The reason turned out to be a keytype  
>> check in
>> appl/telnet/ libtelnet/kerberos5.c. kerberos5_reply() calls
>> encrypt_session_key() regardless of keytype, but kerberos5_is() only
>> encrypts it in the following case:
>
> I thought that the telnet standard only supported DES and tripple  
> DES, of
> which heimdal only support the DES case. Jeffery Altman might know  
> more
> about that.
>
> One problem is that Heimdal is not that good at returning sensable
> enctypes, in both AS-REQ and TGS-REQ. Does Windows Kerberos server  
> doesn't
> support arcfour enctype for the ticket, with single-des for the  
> session
> key?
>
> Want I want to see it more people stop using telnet and moving over to
> ssh/gssapi (both userauth and kex-exchange).
>
> Love

Yeah!

The GSSAPI-keyex stuff isn't in the openssh distro yet AFAIK, but  
it's in current MacOS X, Solaris, Debian (and I'm told RedHat).  If  
that doesn't cover you then go to <http://www.sxw.org.uk/computing/ 
patches/openssh.html> and build a patched version of OpenSSH that  
does it properly.

There are patches for Solaris 9 that back-port ssh client support.   
If you need to support MacOS 10.3 clients then I recommend the Debian  
Kerberized OpenSSH 3.8 package (though the patches port to 3.9  
without too much trouble).
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- RE: telnet: Encrypting the session key
  - From: "Ted Percival" <Ted.Percival@quest.com>

References:
- telnet: Encrypting the session key
  - From: "Ted Percival" <Ted.Percival@quest.com>
- Re: telnet: Encrypting the session key
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: using kpasswd with ldap db (0.7.2)
Next by Date: RE: telnet: Encrypting the session key
Prev by thread: Re: telnet: Encrypting the session key
Next by thread: RE: telnet: Encrypting the session key
Index(es):
- Date
- Thread