[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Enabling arcfour on Heimdal-0.6.3/OpenBSD

To: Rogier Krieger <rkrieger@gmail.com>
Subject: Re: Enabling arcfour on Heimdal-0.6.3/OpenBSD
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 17 Oct 2005 20:47:28 -0700
Cc: Heimdal-discuss list <heimdal-discuss@sics.se>
In-Reply-To: <b1468e300510171413j34badecyf2f2cac3629550c3@mail.gmail.com>
References: <b1468e300510080431p5cb4911agef70438b938d83d2@mail.gmail.com> <m2vf0530av.fsf@c80-217-232-48.cm-upc.chello.se> <5d85f73023cf1b97bf0eb38c2f284f4d@jpl.nasa.gov> <b1468e300510171413j34badecyf2f2cac3629550c3@mail.gmail.com>
Sender: owner-heimdal-discuss@sics.se

W2K3 SP1 can use RC4 for cross-realm with a non-windows kdc.  There's a  
check box somewhere for using des-cbc-md5 that you need to *not* check,  
I've heard.  (Previously you had to check it or it wouldn't work.)

On Oct 17, 2005, at 2:13 PM, Rogier Krieger wrote:

> On 10/13/05, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:
>> You can edit dumpfile entries and merge the changes back.
> <snip>
>> You can use add --random-password instead of add -r.
>
> Both suggestions (of using --random-password and editing the dump
> file) seemed to work fine for me on the KDC end. Thanks for the
> pointers; they're much appreciated.
>
> I do wonder whether my WinXP workstation still obtains a TGT at
> DES-CBC-MD5 and a host-ticket at RC4-HMAC, even if my principals all
> have rc4-hmac keys belonging to them. Am I right to blame WinXP on
> this issue? I'm inclined to do so after digging through the MS KB
> documents detailing only DES. Yet, puzzlingly enough, my host ticket
> is an RC4 one, so perhaps I'm wrong here.
>
> I included my credential cache listings below for illustration. These
> were obtained from my MS credential cache (which I import to KfW Leash
> at startup).
>
> Cached Tickets: (2)
>    Server: krbtgt/WEP.TUDELFT.NL@WEP.TUDELFT.NL
>       KerbTicket Encryption Type: Kerberos DES-CBC-MD5
>       End Time: 10/24/2005 21:30:08
>       Renew Time: 11/16/2005 21:30:08
>
>    Server: host/valhalla.wep.local@WEP.TUDELFT.NL
>       KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>       End Time: 10/18/2005 21:30:08
>       Renew Time: 10/24/2005 21:30:08
>
>
>> You can upgrade to 0.7.x.
>
> True, although in principle, I prefer to stick with the in-base
> components (of OpenBSD) if they do the job. This choice is primarily
> based upon ease of maintenance and/or patching the system. Of course,
> there are exceptions.
>
> Perhaps it's time for me to (help) work on integrating 0.7.x into the
> OpenBSD tree. If the functionality is sufficient, I normally stick
> with versions for a while and figure out my preferred upgrade path.
>
> Thanks in advance,
>
> Rogier
>
> --
> If you don't know where you're going, any road will get you there.
>
>
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Enabling arcfour on Heimdal-0.6.3/OpenBSD
  - From: Rogier Krieger <rkrieger@gmail.com>
- Re: Enabling arcfour on Heimdal-0.6.3/OpenBSD
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: Enabling arcfour on Heimdal-0.6.3/OpenBSD
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Enabling arcfour on Heimdal-0.6.3/OpenBSD
  - From: Rogier Krieger <rkrieger@gmail.com>

Prev by Date: EMERGENCY!
Next by Date: Re: Easiest way to get service ticket after obtaining tgt
Prev by thread: Re: Enabling arcfour on Heimdal-0.6.3/OpenBSD
Next by thread: restarting ipropd-master
Index(es):
- Date
- Thread