[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: telnet: Encrypting the session key

To: <heimdal-discuss@sics.se>
Subject: RE: telnet: Encrypting the session key
From: "Ted Percival" <Ted.Percival@quest.com>
Date: Wed, 31 May 2006 11:27:58 +1000
References: <4185301D58776E4E9A26D10F82232F7803B069@melmbxw01.prod.quest.corp> <m2y7wjtvoq.fsf@nutcracker-2.local>
Sender: owner-heimdal-discuss@sics.se
Thread-Index: AcaEMsnXJplK/FOeSN6iF75Y+Bcj8wAHqkyr
Thread-Topic: telnet: Encrypting the session key

Title: RE: telnet: Encrypting the session key

On May 30, 2006, at 7:48 AM, Love Hörnquist Åstrand wrote:
> I thought that the telnet standard only supported DES and tripple
> DES, of
> which heimdal only support the DES case. Jeffery Altman might know
> more
> about that.

Yep, RFC 2946 for reference. ARCFOUR is what's being used for the
kerberos tickets, and DES is still being used as the stream cipher. The
problem is that the server is only DES-encrypting the session key if a
DES kerberos ticket is used for auth, whereas the client always decrypts
the session key (leading to a bogus encrypted stream when it begins
sending data).

I have attached a diff of the changes to appl/telnet/libtelnet/kerberos5.c

> One problem is that Heimdal is not that good at returning sensable
> enctypes, in both AS-REQ and TGS-REQ. Does Windows Kerberos server
> doesn't
> support arcfour enctype for the ticket, with single-des for the
> session
> key?

Seems to work for me. I have arcfour tickets and building Heimdal's
telnet with the changes to kerberos5.c (ie. change kerberos ticket type
to arcfour and encrypt the session key if arcfour is the kerberos ticket
type) works.

> Want I want to see it more people stop using telnet and moving over to
> ssh/gssapi (both userauth and kex-exchange).

I'd love to see OpenSSH used instead, too, but we have a client that has
requested this. We also provide an OpenSSH derivative with the GSSAPI
kex patches for customers, I can only assume they have a good reason
to be using telnet rather than ssh.

-Ted

Index: kerberos5.c
===================================================================
--- kerberos5.c	(Revision 16)
+++ kerberos5.c	(Revision 84)
@@ -244,7 +244,7 @@
 	return(0);
     }
 
-    krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
+    krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_ARCFOUR);
 
     foo[0] = ap->type;
     foo[1] = ap->way;
@@ -494,9 +494,11 @@
 			UserNameRequested ? UserNameRequested : "<unknown>",
 			RemoteHostName ? RemoteHostName : "<unknown>");
 
+#ifdef ENCRYPTION
 	    if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
 	       key_block->keytype == ETYPE_DES_CBC_MD4 ||
-	       key_block->keytype == ETYPE_DES_CBC_CRC) {
+	       key_block->keytype == ETYPE_DES_CBC_CRC ||
+	       key_block->keytype == ETYPE_ARCFOUR_HMAC_MD5) {
 		Session_Key skey;
 
 		skey.type = SK_DES;
@@ -504,6 +506,7 @@
 		skey.data = key_block->keyvalue.data;
 		encrypt_session_key(&skey, 0);
 	    }
+#endif
 
 	} else {
 	    char *msg;

References:
- telnet: Encrypting the session key
  - From: "Ted Percival" <Ted.Percival@quest.com>
- Re: telnet: Encrypting the session key
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: RE: telnet: Encrypting the session key
Next by Date: Re: telnet: Encrypting the session key
Prev by thread: RE: telnet: Encrypting the session key
Next by thread: Re: telnet: Encrypting the session key
Index(es):
- Date
- Thread