[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal DES encryption!!
>The hostkey is not the hex value of the key; it is an 'encoded' value.
>I'll leave it as an exercise to the reader to figure out how to determine
>the encoding, but you can directly enter an encoded value in the CLI
>instead of loading it via tftp. So you could enter this encoded value
>on another router and perhaps use a test KDC to determine the key?
>Sounds infeasible to me [+ easier ways to break in].
Actually ... as I understood it from a cisco employee, it's pretty much
a straight translation of the host key into a printable format (just not
hex). So if you grab it, you could then masquerade as anyone to
that router. Although .... I thought the key for the router was only
available to the cisco "superuser" equivalant. I believe under some
weird cases (like you have the domestic release and you do some
additional magic) then it gets "hidden" by even the UI.
>But as for being able to login, Cisco actually has this part right.
>Kerberos provides authentication, not authorization. Once a principal's
>identity is verified, to restrict logins you need to use
>tacacs+/xtacacs/radius for authorization. Unfortunately, the 'secret'
>for those protocols is directly visible in the UI.
I believe we just create local login accounts; seems to work reasonably
well.
--Ken