[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: telnet: Encrypting the session key




"Ted Percival" <Ted.Percival@quest.com> writes:

> I was building Heimdal's telnet (and several other apps) with a krb5
> implementation that only uses ARCFOUR tickets, not DES tickets. The first
> change was in appl/telnet/libtelnet/kerberos5.c:247, changing KEYTYPE_DES
> to KEYTYPE_ARCFOUR. I ran into a problem where the client's data showed
> up garbled on the server. The reason turned out to be a keytype check in
> appl/telnet/ libtelnet/kerberos5.c. kerberos5_reply() calls
> encrypt_session_key() regardless of keytype, but kerberos5_is() only
> encrypts it in the following case:

I thought that the telnet standard only supported DES and tripple DES, of
which heimdal only support the DES case. Jeffery Altman might know more
about that.

One problem is that Heimdal is not that good at returning sensable
enctypes, in both AS-REQ and TGS-REQ. Does Windows Kerberos server doesn't
support arcfour enctype for the ticket, with single-des for the session
key?

Want I want to see it more people stop using telnet and moving over to
ssh/gssapi (both userauth and kex-exchange).

Love

PGP signature