current-users: Re: WARNING: Heimdal Krb5 interoperability issue as of 2/11/2001

Subject: Re: WARNING: Heimdal Krb5 interoperability issue as of 2/11/2001
To: None <assar@netbsd.org>
From: Jason R Thorpe <thorpej@zembu.com>
List: current-users
Date: 03/12/2001 08:42:00

On Mon, Mar 12, 2001 at 03:20:40AM +0100, assar@netbsd.org wrote:

 > You were using a modern kinit against an older KDC, right?  Then I

Yes, modern kinit vs older KDC.  klist -v says:

dr-evil:thorpej 24$ klist -v
Credentials cache: FILE:/tmp/krb5cc_7518.ttyE0
        Principal: thorpej@SHAGADELIC.ORG
    Cache version: 4

Server: krbtgt/SHAGADELIC.ORG@SHAGADELIC.ORG
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Mar 12 08:36:08 2001
End time:   Mar 12 18:36:06 2001
Renew till: Mar 19 08:36:08 2001
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:192.168.0.17, IPv6:3ffe:507:183:1:200:f1ff:fe11:5e06


v4-ticket file: /tmp/tkt7518
klist: No ticket file (tf_util)
dr-evil:thorpej 25$ 

...and the ticket fails to work properly:

dr-evil:thorpej 26$ telnet -ax yeah-baby.shagadelic.org
Trying 3ffe:507:183::1...
telnet: connect to address 3ffe:507:183::1: Connection refused
Trying 208.176.2.162...
Connected to yeah-baby.shagadelic.org.
Escape character is '^]'.
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (Decrypt integrity check failed)
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (Decrypt integrity check failed)
login: Connection closed by foreign host.
dr-evil:thorpej 27$  

 > think the problem is that we were using the wrong key usage and that
 > there is code in the KDC for handling both, but that of course doesn't
 > work when it's the client that's using the wrong type.  Adding:
 > 
 > [libdefaults]
 > 	default_etypes = des-cbc-md5 des-cbc-md4 des-cbc-crc
 > 
 > to your /etc/krb5.conf should also work.

Yah, this works, too:

dr-evil:thorpej 30$ klist -v
Credentials cache: FILE:/tmp/krb5cc_7518.ttyE0
        Principal: thorpej@SHAGADELIC.ORG
    Cache version: 4

Server: krbtgt/SHAGADELIC.ORG@SHAGADELIC.ORG
Ticket etype: des-cbc-md5, kvno 1
Auth time:  Mar 12 08:39:50 2001
End time:   Mar 12 18:39:50 2001
Renew till: Mar 19 08:39:50 2001
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:192.168.0.17, IPv6:3ffe:507:183:1:200:f1ff:fe11:5e06


v4-ticket file: /tmp/tkt7518
klist: No ticket file (tf_util)
dr-evil:thorpej 31$ 

...and the telnet command now works.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>