id summary reporter owner description type status priority milestone component resolution keywords cc fix_version see_also 529 Make Athena ready to transition away from single-DES andersk "[Not entirely a Debathena bug, but this is the most convenient place to keep track of it.] As an experiment, I modified my Kerberos principal to have only a triple-DES enctype using kadmin: {{{ kadmin: cpw -e des3-hmac-sha1:normal andersk }}} This works out fine from a Kerberos client perspective: * kinit -5, kinit -45, and krb524init all work, which allows me to use any Kerberized service as normal, including krb4 Zephyr and krb4 IMAP. * kinit -4 no longer works (kinit(v4): Kerberos principal unknown), which is expected because Kerberos IV can only use a single-DES key to encrypt my TGT. But that is okay because kinit -45 or krb524init replace this functionality. * aklog and AFS works fine. However, it exposed some problems with various password-authenticated services: * ~~[https://ca.mit.edu/ca/ ca.mit.edu] does not allow me to generate a new MIT certificate.~~ '''FIXED.''' * The PO servers do not allow me to log in over IMAP using a password. (Kerberized IMAP still works.) I receive this error using imtest: {{{ $ imtest -s -m login andersk.mail.mit.edu … Please enter your password: C: L01 LOGIN andersk {9} S: + go ahead C: S: L01 NO Login failed: authentication failure Authentication failed. generic failure }}} * I cannot log in to [https://webmail.mit.edu/ Webmail], presumably as a consequence of the above: “Login failed.” * I cannot log in to [https://idp.mit.edu/idp/Authn/UsernamePassword Touchstone] services using a password (though certificate and Kerberos authentication still work): “Error: Please enter a valid username and password. Click help for assistance.” * ~~[https://owa.exchange.mit.edu/ Outlook Web Access] works fine.~~ * I cannot log in to the [https://vpn.mit.edu/ MITnet VPN] (vpn.mit.edu): “Login error.” * I cannot log in to [https://mit-mailsec-cc.mit.edu:41443/brightmail Brightmail]: “Invalid user name or password. Please try again.” * I cannot log in to Windows after starting the Citrix ICA Client from [https://citrix.mit.edu/Citrix/MetaFrameXP/frameset.jsp Citrix MetaFrame XP]: “The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.” * ~~I cannot log in to the MIT SECURE wireless network:~~ Given that single-DES is critically weak, is disabled by default in current releases of Kerberos, and will be removed entirely in future releases, we should talk with network and try to get these little problems worked out sooner rather than later. == Solution == In at least [comment:8 one case] (ca.mit.edu), the problem was that the server’s `/etc/krb5.conf` had the line `default_tkt_enctypes = des-cbc-crc`. This line [comment:9 should be removed]. Since we think this misconfigured `/etc/krb5.conf` has been copied to many MIT servers, that’s probably all we need to do to fix most or all of these problems. " defect new critical Fall 2010 --