[24332] in Kerberos
Re: potential for harm in DES AD/MIT trust
daemon@ATHENA.MIT.EDU (Colin Hudler)
Fri Jul 22 15:18:36 2005
Message-ID: <42E14661.5060900@uchicago.edu>
Date: Fri, 22 Jul 2005 14:17:53 -0500
From: Colin Hudler <chudler@uchicago.edu>
MIME-Version: 1.0
To: Brian Davidson <bdavids1@gmu.edu>
In-Reply-To: <63ac616db3f104965ed4214e054314a2@gmu.edu>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Brian Davidson wrote:
> On Jun 4, 2005, at 11:27 AM, Jeffrey Altman wrote:
>
>> The MIT Kerberos team worked with the Microsoft Windows Security team
>> to make sure that RC4-HMAC could be used for cross-realm authentication
>> by Windows Server specificly because of the concerns you raise. DES
>> keys are very weak and if they must be used because that is all that is
>> supported, then they keys must be replaced on a very regular basis
>> until such time as they no longer need to be used.
>>
>> With 2003 Server SP1 there should no longer be a reason to use DES keys
>> for anything but compatibility with Java 1.5 and earlier.
>
>
> Has anyone had success with this? I just tried to use RC4-HMAC for a
> cross-realm trust with Server 2003 SP1, and it didn't work. I could
> only get the trust to work with a DES key.
>
> Do you know if Microsoft has any of this documented anywhere? I
> didn't see any mention of this in the "Windows Server 2003 Service
> Pack 1 list of updates"
>
> I'm hoping there's just a registry setting that needs to be made to
> enable this...
>
> Thanks,
>
> Brian Davidson
> George Mason University
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Hi Brian,
After setting the trust, install Windows 2003 SP1 Support tools, then run
ktpass -MitRealmName <REALM> -TrustEncryp RC4
I do not know where or if this is documented (besides the /? of
ktpass). By the way, RC4 is not the default despite what "ktpass /? "
might say. Hope that helps.
--
Colin Hudler
University of Chicago
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
