I was building Heimdal's telnet (and several other apps) with a krb5 implementation that only uses ARCFOUR tickets, not DES tickets. The first change was in appl/telnet/libtelnet/kerberos5.c:247, changing KEYTYPE_DES to KEYTYPE_ARCFOUR. I ran into a problem where the client's data showed up garbled on the server. The reason turned out to be a keytype check in appl/telnet/libtelnet/kerberos5.c. kerberos5_reply() calls encrypt_session_key() regardless of keytype, but kerberos5_is() only encrypts it in the following case:
497 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
498 key_block->keytype == ETYPE_DES_CBC_MD4 ||
499 key_block->keytype == ETYPE_DES_CBC_CRC) {
The fix I have used so far is to add a check for
key_block->keytype == ETYPE_ARCFOUR_HMAC_MD5
to that list.
My question is whether this keytype check should be done at all, perhaps the session key should always be created & encrypted regardless, otherwise it is probably helpful for the Heimdal source to also create an encrypted session key for ETYPE_ARCFOUR_HMAC_MD5 by adding the same check to the if block shown above.
The Subversion source repository I'm using is available from http://rc.vintela.com/svn/repos/vas-apps/trunk/ (particularly the heimdal directory), the main change was made in revision 83.
Cheers,
-Ted Percival
(Sorry about this message being HTMLised, I wish I could disable it.)