[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: telnet: Encrypting the session key

On May 30, 2006, at 7:48 AM, Love Hörnquist Åstrand wrote:

> "Ted Percival" <Ted.Percival@quest.com> writes:
>> I was building Heimdal's telnet (and several other apps) with a krb5
>> implementation that only uses ARCFOUR tickets, not DES tickets.  
>> The first
>> change was in appl/telnet/libtelnet/kerberos5.c:247, changing  
>> to KEYTYPE_ARCFOUR. I ran into a problem where the client's data  
>> showed
>> up garbled on the server. The reason turned out to be a keytype  
>> check in
>> appl/telnet/ libtelnet/kerberos5.c. kerberos5_reply() calls
>> encrypt_session_key() regardless of keytype, but kerberos5_is() only
>> encrypts it in the following case:
> I thought that the telnet standard only supported DES and tripple  
> DES, of
> which heimdal only support the DES case. Jeffery Altman might know  
> more
> about that.
> One problem is that Heimdal is not that good at returning sensable
> enctypes, in both AS-REQ and TGS-REQ. Does Windows Kerberos server  
> doesn't
> support arcfour enctype for the ticket, with single-des for the  
> session
> key?
> Want I want to see it more people stop using telnet and moving over to
> ssh/gssapi (both userauth and kex-exchange).
> Love


The GSSAPI-keyex stuff isn't in the openssh distro yet AFAIK, but  
it's in current MacOS X, Solaris, Debian (and I'm told RedHat).  If  
that doesn't cover you then go to <http://www.sxw.org.uk/computing/ 
patches/openssh.html> and build a patched version of OpenSSH that  
does it properly.

There are patches for Solaris 9 that back-port ssh client support.   
If you need to support MacOS 10.3 clients then I recommend the Debian  
Kerberized OpenSSH 3.8 package (though the patches port to 3.9  
without too much trouble).
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu