Encryption types available for Kerberos telnet in RHEL 6

Latest response

How do I add available encryption types for Kerberos telnet? The only encryption types included in telnet from krb5-appl-clients are DES (which is disabled by Kerberos by default). The documentation from MIT seems to say that it will support several stronger encryption types but I didn't see a way to configure this.

Do I need to recompile telnet from the Kerberos SRPM? Why aren't stronger encryption types included in the distributed krb5-appl-client package?

Responses

How do I add available encryption types for Kerberos telnet?

This is not directly done with telnet, but in the kerberos library. 'ldd /usr/kerberos/bin/telnet' shows the librarys.

> The only encryption types included in telnet from krb5-appl-clients are DES

Via kerberos librarys all encoding types the library can deal with are also available to kerberized telnet.

If your system is part of a kerberos realm, the principal file /etc/krb5.keytab exists and you can execute 'ktutil -ek /etc/krb5.keytab' to inspect the encoding types.

(which is disabled by Kerberos by default).

Yes, it is disabled by default in newer RHEL.

The documentation from MIT seems to say that it will support several stronger encryption types but I didn't see a way to configure this

> Do I need to recompile telnet from the Kerberos SRPM? Why aren't stronger encryption types included in the distributed krb5-appl-client package?

The support for better encoding types is already there in RHEL, no need to recompile. I suggest you verify the encoding types your principal contains. If there is no DES, and you have Kerberos authentication working, then you are not using DES.

Christian

I think I may have been unclear in my initial post...

I am using 2 virtual machines on an isolated network both loaded with RHEL 6.2.  Server1 is the KDC and Kerberos application server; server2 is my client.  Configurations are not modified from the default installed ( I am using example.com as my domain and server1 is aliased in the hosts file as kerberos.example.com).  Principals loaded are host/server1.example.com, host/server2.example.com, nfs/server1.example.com, nfs/server2.example.com and kerbuser2. Keys loaded (viewed with klist -k -K) show 6 entries for each of host/server1.example.com, host/server2.example.com and nfs/server1.example.com (1 for each of the supported encryption types listed in /var/kerberos/krb5kdc/kdc.conf, except for des-cbc-crc:normal).

/etc/krb5.conf and /etc/krb5.keytab on server1 and server2 are identical

Other Kerberos applications (rsh, rcp, rlogin) are working correctly.  Server1 is serving home directories via NFSv4 with sec=krb5 and server2 automounts are correct.

When I execute /usr/kerberos/bin/telnet on server2 (without allow_weak_crypto in krb5.conf):

#kint kerbuser2

<password>

#/usr/kerberos/bin/telnet -xl kerbuser2

telnet> encrypt enable ?

Valid encryption types:

     DES_CFB64 (1)

     DES_0FB64 (2)

telnet> set auth

telnet> o server1

<misc messages ommitted>

telnet: Kerberos V5: failure on credentials (KDC has no support for encryption type)

>>>TELNET:  Sent failure message

Negotiation of authentication, which is required for encryption,

has failed.  Good-bye.

#

With allow_weak_crypto:

#/usr/kerberos/bin/telnet -xl kerbuser2

telnet> set auth

>>>TELNET: Using type 2

[ Kerberos V5 accepts you as ''kerbuser2@EXAMPLE.com'' ]

 

 

 

 

 

 

 

A quick question Jean: Why are you using telnet instead of ssh?

I'm genuinely curious.

It's more of a technical exersize than anything else.  I'm going through the requirements listed for the RH Enterprise Security and

Network Services Certificate of Expertise to make sure I understand how to implement each task.  I avoid telnet whereever possible!  The next thing I'll be beating my head against is "Use GPG tools to configure a certificate authority (CA) and sign certificate requests".  I know how to do it with OpenSSL but not with GPG.

 

Jean

Hi,

thanks for the increased verbosity, I see now that you are not talking about authentication but encryption of the telnet connection. To look into this we should setup reproducer, and look at the offered encryption modes of telnet, document that in kbase, and offer suggestions how to use better encryption types if applicable.

Is it possible that you open a case with Red Hat Support to get this investigated? You could also drop a link to this thread, so the outcome can also be posted here then.

Thanks, Christian