[977] in Kerberos_V5_Development
Re: So, why shouldn't appl/bsd use tripple-DES
daemon@ATHENA.MIT.EDU (Richard Basch)
Fri Jan 26 05:44:31 1996
Date: Fri, 26 Jan 1996 05:43:33 -0500
To: Sam Hartman <hartmans@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: <199601252148.QAA12001@tertius.mit.edu>
From: "Richard Basch" <basch@lehman.com>
The session key that should be requested should be DES not 3-DES;
admittedly, the change need not be in kcmd.c, but the encryption
functionality of rsh/rlogin will only handle DES, not 3-DES.
Admittedly, telnet, in its current state also has this restriction, and
I forgot to change that, but I also had plans to properly support 3-DES
soon in telnet.
On Thu, 25-January-1996, "Sam Hartman" wrote to "krbdev@MIT.EDU" saying:
> Someone in appl/bsd/kcmd.c set the default TGS enctypes to
> DES_CBC_CRC. This breaks things with my new ccache changes, because
> it can't find a tgt with an enctype that is in the default enctype set
> anymore, so it can't go and get a DES host ticket. This indicates
> that my changes to the ccache routines may not be such a good idea.
> What I was trying to do was:
>
> * If the credentials request contains a particular enctype, make sure
> I got that enctype. This is required for krb524d or telnetd to work.
>
> * Avoid having the ccache code accidentally pick up tickets with
> non-standard session key enctypes unless they were specifically asked
> for. There was no reason to do this, other than it appeared that was
> what the previous (broken) code was trying to do.
>
> Besides, I see no good reason that anything in appl/bsd needs
> DES; if I comment out the call to set_default_tgs_enctypes, it appears
> to work fine with tripple DES. Is there something I am missing, or
> can this call go away.
>
> --Sam
--
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
