[23676] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Getting single DES TGT

daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri Apr 8 09:50:58 2005

To: Craig Huckabee <huck@spawar.navy.mil>
From: Sam Hartman <hartmans@mit.edu>
Date: Thu, 07 Apr 2005 17:35:59 -0400
In-Reply-To: <4255A29D.6070202@spawar.navy.mil> (Craig Huckabee's message of
 "Thu, 07 Apr 2005 17:14:05 -0400")
Message-ID: <tsl8y3u46dc.fsf@cz.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu

>>>>> "Craig" == Craig Huckabee <huck@spawar.navy.mil> writes:

    Craig> Hi all, I saw this discussion on krb-dev on moving to 3DES
    Craig> support and wanted to ask a similar question (hopefully
    Craig> more appropriately on this list).

    Craig>    We're trying to use the Advanced Security Option in
    Craig> Oracle 9.x/10.x to enable Kerberos authentication -
    Craig> unfortunately, they don't support 3DES keys yet and won't
    Craig> for the near future.  Our KDC is MIT 1.3.6 running on
    Craig> Linux.

    Craig>    I've been trying to force clients to ask only for
    Craig> des-cbc-crc TGTs, but haven't been able to do so.  A
    Craig> getprinc on the krbtgt principal for my realm looks like:

    Craig>     Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
    Craig> Key: vno 3, DES cbc mode with CRC-32, no salt Key: vno 3,
    Craig> DES cbc mode with CRC-32, Version 4

    Craig> But even when I set:

    Craig>    default_tgs_enctypes = des-cbc-crc default_tkt_enctypes
    Craig> = des-cbc-crc

    Craig> on the client, I get a des-cbc-crc session key, but a 3des
    Craig> tkt.  This happens with an MIT 1.3.6 kinit on Linux and
    Craig> Solaris.

As you should.  it would be a security weakness for the client to be
able to influence the ticket key.  Besides a correctly written client
should not even notice the ticket key.

Unfortunately Oracle is not a correctly written client.  Their code
was based on MIT Kerberos from before the 1.0 release and is missing a
fix that is necessary to make multiple encryption types work.  Despite
several attempts to work with the Oracle developers, Oracle has not
seen the need to fix this bug.

The best you can do is use the -e argument of the kvno program to
request a des-cbc-crc ticket for the appropriate oracle service
principal before you start Oracle.


--Sam
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post