Ticket #529 (new defect) — at Version 6
Make Athena ready to transition away from single-DES
Reported by: | andersk | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | The Distant Future |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description (last modified by andersk) (diff)
[Not entirely a Debathena bug, but this is the most convenient place to keep track of it.]
As an experiment, I modified my Kerberos principal to have only a triple-DES enctype using kadmin:
kadmin: cpw -e des3-hmac-sha1:normal andersk
This works out fine from a Kerberos client perspective:
- kinit -5, kinit -45, and krb524init all work, which allows me to use any Kerberized service as normal, including krb4 Zephyr and krb4 IMAP.
- kinit -4 no longer works (kinit(v4): Kerberos principal unknown), which is expected because Kerberos IV can only use a single-DES key to encrypt my TGT. But that is okay because kinit -45 or krb524init replace this functionality.
- aklog and AFS works fine.
However, it exposed some problems with various password-authenticated services:
- ca.mit.edu does not allow me to generate a new MIT certificate. I receive this error:
(-1765328370, 'KDC has no support for encryption type')
- The PO servers do not allow me to log in over IMAP using a password. (Kerberized IMAP still works.) I receive this error using imtest:
$ imtest -s -m login andersk.mail.mit.edu … Please enter your password: C: L01 LOGIN andersk {9} S: + go ahead C: <omitted> S: L01 NO Login failed: authentication failure Authentication failed. generic failure
- I cannot log into webmail.mit.edu, presumably as a consequence of the above:
Login failed.
- I cannot log into Touchstone services using a password. (Certificate and Kerberos authentication still work.) I receive this error [UPDATED]:
Error: Please enter a valid username and password. Click help for assistance.
- owa.exchange.mit.edu works fine.
- I cannot log in to the MITnet VPN (vpn.mit.edu). It just says “Login error.”
- I cannot log in to Brightmail: “Invalid user name or password. Please try again.”
Given that single-DES is critically weak, is disabled by default in current releases of Kerberos, and will be removed entirely in future releases, we should talk with network and try to get these little problems worked out sooner rather than later.
Change History
comment:2 Changed 14 years ago by andersk
In case anyone important is reading this, I should be clear that none of these problems are believed to block a transition to hybrid DES+3DES keys, which would allow the ATHENA realm to continue to function after single-DES is turned off in Kerberos upstream.
comment:4 Changed 14 years ago by andersk
- Description modified (diff)
I found a new problem: I can’t log in to vpn.mit.edu.
comment:5 Changed 14 years ago by andersk
hartmans guesses that the problem with at least some of these services is a krb5.conf with default_tkt_enctypes misconfigured. He also says the KDC logs should be able to identify such misconfigurations if the KDC is running 1.3 or higher (but he thinks it’s running 1.2).
debathena / krb5 / ghudson 16:07 (Steel and circuits will make me whole)
debathena / krb5 / andersk 16:20 (Anders Kaseorg)