Encryption types available for Kerberos telnet in RHEL 6
How do I add available encryption types for Kerberos telnet? The only encryption types included in telnet from krb5-appl-clients are DES (which is disabled by Kerberos by default). The documentation from MIT seems to say that it will support several stronger encryption types but I didn't see a way to configure this.
Do I need to recompile telnet from the Kerberos SRPM? Why aren't stronger encryption types included in the distributed krb5-appl-client package?
Responses
> How do I add available encryption types for Kerberos telnet?
This is not directly done with telnet, but in the kerberos library. 'ldd /usr/kerberos/bin/telnet' shows the librarys.
> The only encryption types included in telnet from krb5-appl-clients are DES
Via kerberos librarys all encoding types the library can deal with are also available to kerberized telnet.
If your system is part of a kerberos realm, the principal file /etc/krb5.keytab exists and you can execute 'ktutil -ek /etc/krb5.keytab' to inspect the encoding types.
> (which is disabled by Kerberos by default).
Yes, it is disabled by default in newer RHEL.
> The documentation from MIT seems to say that it will support several stronger encryption types but I didn't see a way to configure this.
> Do I need to recompile telnet from the Kerberos SRPM? Why aren't stronger encryption types included in the distributed krb5-appl-client package?
The support for better encoding types is already there in RHEL, no need to recompile. I suggest you verify the encoding types your principal contains. If there is no DES, and you have Kerberos authentication working, then you are not using DES.
Christian
Hi,
thanks for the increased verbosity, I see now that you are not talking about authentication but encryption of the telnet connection. To look into this we should setup reproducer, and look at the offered encryption modes of telnet, document that in kbase, and offer suggestions how to use better encryption types if applicable.
Is it possible that you open a case with Red Hat Support to get this investigated? You could also drop a link to this thread, so the outcome can also be posted here then.
Thanks, Christian
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
