If you use the CyberSafe adapter (also included in Oracle 8i and 9i) - this adapter uses GSS-API and calls our library, which supports 3DES.
It looks like you have noticed that the Oracle ASO 'Kerberos' adapter includes Kerberos code based on an old release of MIT libraries. However, the 'CyberSafe' adapter included in ASO uses GSS-API, which means the GSS-API/Kerberos library can be updated to support new ciphers when available without effecting the Oracle software deployment - a much better architecture, I am sure you will agree ? Regards, Tim Alsop CyberSafe Limited -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Huckabee Sent: 07 April 2005 22:14 To: kerberos@mit.edu Subject: Getting single DES TGT[was Re: KDC: upgrade to 3DES] Hi all, I saw this discussion on krb-dev on moving to 3DES support and wanted to ask a similar question (hopefully more appropriately on this list). We're trying to use the Advanced Security Option in Oracle 9.x/10.x to enable Kerberos authentication - unfortunately, they don't support 3DES keys yet and won't for the near future. Our KDC is MIT 1.3.6 running on Linux. I've been trying to force clients to ask only for des-cbc-crc TGTs, but haven't been able to do so. A getprinc on the krbtgt principal for my realm looks like: Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 3, DES cbc mode with CRC-32, no salt Key: vno 3, DES cbc mode with CRC-32, Version 4 But even when I set: default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc on the client, I get a des-cbc-crc session key, but a 3des tkt. This happens with an MIT 1.3.6 kinit on Linux and Solaris. Is the KDC just picking the first key type from the list of available encryption types, despite what the client asks for ? Any suggestions for testing this theory (I've done some ethereal sniffs which lead me to think the KDC is at fault)? Help, advice, even flames welcome at this point, Craig PS If you work from Oracle and are reading this, get back to work and update your Kerberos base code! -------- Original Message -------- Subject: Re: KDC: upgrade to 3DES Date: Thu, 7 Apr 2005 08:38:07 -0400 (EDT) From: Shivakeshav Santi <[EMAIL PROTECTED]> To: Jeffrey Altman <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Jeff, Following are the answeres for the Qs: 1)did you rekey your principal (aka change your password?) yes. Following is the output of getprinc : Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt Key: vno 2, DES cbc mode with CRC-32, Version 4 2)is your client restricting the requested enctypes in the krb5.conf file? it does allow des3-hmac-sha1 . Corresponding lines from krb5.conf : default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc 3)does the client you are using support 3DES? yes,I am using MIT kinit from krb51.3.4 . Thanks for your help > shivakeshav santi wrote: > >> HI, >> >> I am trying to upgrade the encryption type on the KDC to support >> 3DES. I have made the relevant changes in krb5.conf and >> kdc.conf(supported_enctypes, >> kdc_supported_enctypes,default_tgs_enctypes,default_tkt_enctypes >> :des3-hmac-sha1 des-cbc-crc) >> >> But when I use kinit , I only get the tickets with single des. >> Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 >> >> Am I missing something. >> >> Thank you for your help. > > Just a few questions for you to answer: > > did you rekey your principal (aka change your password?) > > is your client restricting the requested enctypes in the krb5.conf file? > > does the client you are using support 3DES? > > Jeffrey Altman > _______________________________________________ > krbdev mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/krbdev > -- Shivakeshav Santi Programmer Analyst/Senior Cornell Information Technologies 120 Maple Avenue Cornell University Tel :6072551916(O) Ability may get you to the top, but only character will keep you there ..... _______________________________________________ krbdev mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/krbdev ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos