Re: kerberos issues with 10.0_BETA post openssl update

To: Mark Davies <mark%ecs.vuw.ac.nz@localhost>
Subject: Re: kerberos issues with 10.0_BETA post openssl update
From: Ken Hornstein <kenh%pobox.com@localhost>
Date: Fri, 08 Sep 2023 14:39:07 -0400

>> This looks like a jump to null in the RC4 logic using EVP_md4().
>> 
>> For EVP_rc4 we have a hack in Heimdal to do
>> 
>> 	EVP_CIPHER_fetch(NULL, "rc4", "provider=legacy")

I don't know if you have control over this, but ... RC4?  In 2023?  Yikes.
Kerberos clients do send a list of the supported crypto algorithms to the
KDC as part of the AS-REQ message so this would indicate to me that one
of three things is happening:

1) Your client is configured to only allow RC4 as a cipher (I've seen
   this happen when people misguidedly configure this in the Kerberos
   configuration files; normally this should never be done except it very
   unusual circumstances)
2) Your KDC does not support crypto algorithms other than RC4,
   which ... double yikes if that's the case.
3) Your KDC DOES support more modern crypto algorithms but you haven't
   changed your password in approximately forever.

If this is 1 or 3 it should be easy to fix and probably would be a good
idea to do so.

--Ken

Follow-Ups:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies

References:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Taylor R Campbell
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies

Prev by Date: Re: kerberos issues with 10.0_BETA post openssl update
Next by Date: Re: kerberos issues with 10.0_BETA post openssl update
Previous by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Next by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Indexes:

Home | Main Index | Thread Index | Old Index