Re: Enctype Negotiation Problem - Kerberos

This is a discussion on Re: Enctype Negotiation Problem - Kerberos ; > >> Except the issue here is he's getting a DES_CBC_MD4 session key when he > >> wants DES_CBC_CRC. The "why" is likely in the code you're quoting - > >> DES_CBC_MD4 is a "better" enctype, and both sides appear ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: Enctype Negotiation Problem

  1. Re: Enctype Negotiation Problem



    > >> Except the issue here is he's getting a DES_CBC_MD4 session key when he
    > >> wants DES_CBC_CRC. The "why" is likely in the code you're quoting -
    > >> DES_CBC_MD4 is a "better" enctype, and both sides appear to support it
    > >> (since the single-des types are interchangeable).

    > >
    > >> I'd be curious to know how the resulting ticket is not "useful"; that
    > >> is, what application is being used and what error results when
    > >> attempting to use that ticket.

    > >
    > > Here is the error reported by the user:
    > >
    > > $ telnet -fax cerberus.ait.iastate.edu
    > > Encryption is verbose
    > > Trying 129.186.145.115...
    > > Connected to cerberus.ait.iastate.edu.
    > > Escape character is '^]'.
    > > [ Trying mutual KERBEROS5 (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ]
    > > [ Kerberos V5 refuses authentication because telnetd:
    > > krb5_rd_req failed: Encryption type not permitted ]
    > > [ Trying KERBEROS5 (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ]
    > > [ Kerberos V5 refuses authentication because telnetd:
    > > krb5_rd_req failed: Encryption type not permitted ]

    >
    > Is the telnetd also heimdal? That sounds like either the machine running
    > telnetd is configured to require des-cbc-crc, or its keytab contains only a
    > des-cbc-crc key. You can fix the latter problem by using ktutil to copy
    > the keytab to a v4 srvtab and back.


    Yes, the keytab has only a des-cbc-crc key as that's all the KDB has.

    John
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Enctype Negotiation Problem



    On Wednesday, October 11, 2006 06:20:30 PM -0500 John Hascall
    wrote:

    >
    >
    >> >> Except the issue here is he's getting a DES_CBC_MD4 session key when
    >> >> he wants DES_CBC_CRC. The "why" is likely in the code you're quoting
    >> >> - DES_CBC_MD4 is a "better" enctype, and both sides appear to support
    >> >> it (since the single-des types are interchangeable).
    >> >
    >> >> I'd be curious to know how the resulting ticket is not "useful"; that
    >> >> is, what application is being used and what error results when
    >> >> attempting to use that ticket.
    >> >
    >> > Here is the error reported by the user:
    >> >
    >> > $ telnet -fax cerberus.ait.iastate.edu
    >> > Encryption is verbose
    >> > Trying 129.186.145.115...
    >> > Connected to cerberus.ait.iastate.edu.
    >> > Escape character is '^]'.
    >> > [ Trying mutual KERBEROS5
    >> > (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ] [ Kerberos V5 refuses
    >> > authentication because telnetd:
    >> > krb5_rd_req failed: Encryption type not permitted ]
    >> > [ Trying KERBEROS5 (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ]
    >> > [ Kerberos V5 refuses authentication because telnetd:
    >> > krb5_rd_req failed: Encryption type not permitted ]

    >>
    >> Is the telnetd also heimdal? That sounds like either the machine
    >> running telnetd is configured to require des-cbc-crc, or its keytab
    >> contains only a des-cbc-crc key. You can fix the latter problem by
    >> using ktutil to copy the keytab to a v4 srvtab and back.

    >
    > Yes, the keytab has only a des-cbc-crc key as that's all the KDB has.


    Ah, but MIT Kerberos treats des-cbc-crc, des-cbc-md4, and des-cbc-md5 as
    interchangeable in a variety of cases, and Heimdal does not. So if you
    have an MIT KDC and Heimdal application servers, then a principal with a
    des-cbc-crc key in the KDB needs to have all three enctypes in its keytab.

    -- Jeff
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Enctype Negotiation Problem


    > >> >> - DES_CBC_MD4 is a "better" enctype, and both sides appear to support
    > >> >> it (since the single-des types are interchangeable).
    > >> >
    > >> >> I'd be curious to know how the resulting ticket is not "useful"; that
    > >> >> is, what application is being used and what error results when
    > >> >> attempting to use that ticket.
    > >> >
    > >> > Here is the error reported by the user:
    > >> >
    > >> > $ telnet -fax cerberus.ait.iastate.edu
    > >> > Encryption is verbose
    > >> > Trying 129.186.145.115...
    > >> > Connected to cerberus.ait.iastate.edu.
    > >> > Escape character is '^]'.
    > >> > [ Trying mutual KERBEROS5
    > >> > (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ] [ Kerberos V5 refuses
    > >> > authentication because telnetd:
    > >> > krb5_rd_req failed: Encryption type not permitted ]
    > >> > [ Trying KERBEROS5 (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ]
    > >> > [ Kerberos V5 refuses authentication because telnetd:
    > >> > krb5_rd_req failed: Encryption type not permitted ]
    > >>
    > >> Is the telnetd also heimdal? That sounds like either the machine
    > >> running telnetd is configured to require des-cbc-crc, or its keytab
    > >> contains only a des-cbc-crc key. You can fix the latter problem by
    > >> using ktutil to copy the keytab to a v4 srvtab and back.

    > >
    > > Yes, the keytab has only a des-cbc-crc key as that's all the KDB has.

    >
    > Ah, but MIT Kerberos treats des-cbc-crc, des-cbc-md4, and des-cbc-md5 as
    > interchangeable in a variety of cases, and Heimdal does not. So if you
    > have an MIT KDC and Heimdal application servers, then a principal with a
    > des-cbc-crc key in the KDB needs to have all three enctypes in its keytab.


    Well, that's just icky.

    I was able to solve the problem by adding the following line to the KDC's
    krb5.conf file:

    [libdefaults]
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 \
    des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc


    Thanks,
    John
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread