[979] in Kerberos_V5_Development
Re: So, why shouldn't appl/bsd use tripple-DES
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri Jan 26 13:04:01 1996
To: "Richard Basch" <basch@lehman.com>
Cc: Sam Hartman <hartmans@MIT.EDU>, krbdev@MIT.EDU
From: hartmans@MIT.EDU (Sam Hartman)
Date: 26 Jan 1996 13:03:14 -0500
In-Reply-To: "Richard Basch"'s message of Fri, 26 Jan 1996 05:43:33 -0500
>>>>> "Richard" == Richard Basch <basch@lehman.com> writes:
Richard> The session key that should be requested should be DES
Richard> not 3-DES; admittedly, the change need not be in kcmd.c,
Richard> but the encryption functionality of rsh/rlogin will only
Richard> handle DES, not 3-DES.
My question is: what in appl/bsd depends on the encryption
being DES not 3DES? I really can't find anything in the code.
Richard> Admittedly, telnet, in its current state also has this
Richard> restriction, and I forgot to change that, but I also had
Richard> plans to properly support 3-DES soon in telnet.
Already done; I can clearly find DES dependencies in the
telnet encryption code, so I inserted an
in_creds.keyblock.enctype = ENCTYPE_DES_CBC_CRC
before calling krb5_get_credentials.
(I also debugged this code path so it works as documented
and searchs for a specific enctype if the keyblock's
enctype is non-null.)
(You already know this, but telnetd is in serious need of a secure
standard) for crypto options negotiation.)
Richard> On Thu, 25-January-1996, "Sam Hartman" wrote to
Richard> "krbdev@MIT.EDU" saying:
>> Someone in appl/bsd/kcmd.c set the default TGS enctypes to
>> DES_CBC_CRC. This breaks things with my new ccache changes,
>> because it can't find a tgt with an enctype that is in the
>> default enctype set anymore, so it can't go and get a DES host
>> ticket. This indicates that my changes to the ccache routines
>> may not be such a good idea. What I was trying to do was:
>>
>> * If the credentials request contains a particular enctype,
>> make sure I got that enctype. This is required for krb524d or
>> telnetd to work.
>>
>> * Avoid having the ccache code accidentally pick up tickets
>> with non-standard session key enctypes unless they were
>> specifically asked for. There was no reason to do this, other
>> than it appeared that was what the previous (broken) code was
>> trying to do.
>>
>> Besides, I see no good reason that anything in appl/bsd needs
>> DES; if I comment out the call to set_default_tgs_enctypes, it
>> appears to work fine with tripple DES. Is there something I am
>> missing, or can this call go away.
>>
>> --Sam
Richard> -- Richard Basch Sr. Developer/Analyst URL:
Richard> http://web.mit.edu/basch/www/home.html Lehman Brothers,
Richard> Inc. Email: basch@lehman.com, basch@mit.edu 101 Hudson
Richard> St., 33rd Floor Fax: +1-201-524-5828 Jersey City, NJ
Richard> 07302-3988 Voice: +1-201-524-5049
