Your patch is close to the correct way to do this. The primary issue is the question of the encryption key to use. You want to use the 3DES session key if it is available.
However, there is a bigger problem. The existing Kerberos 5 telnet code base always takes the first 8 bytes of the key regardless of length and uses it for both the inbound and outbound keys. This is in violation of the current Telnet Encryption draft. That is why there is a restriction for Kerberos 5 that it can only use single DES session keys. If a session key with greater than 8 bytes of key data were used, the truncation applied in the current code would make the communication between the client and server incompatible if single DES were ever negotiated.
- Jeffrey Altman
Markus Moeller wrote:
I would like to encrypt a kerberised telnet session stronger then with DES. I assume that this has been done in the past, but I haven't found any example. But I found the below telnet client/server source from the srp project which has 3DES/CAST128 encryption and modified the kerberos5.c file to allow 3DES encryption.
The source can be found at http://srp.stanford.edu/source/srp-2.0.0.tar.gz together with the attached patch and the below configure command I got it to work on Suse Linux with MIT 1.3.1 and a W2k kdc and RC4-hmac cipher.
LDFLAGS="-Wl,-R/usr/kerberos/lib" \ ./configure --with-krb5=/src/mitk5-131/kerberos/src --without-srp --without-cast --disable-tls
As I am not an expert in cryptography I would like to know if this is correctly implemented.
Thank you for any help/suggestions.
Markus
------------------------------------------------------------------------
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
