directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrique Rodriguez <>
Subject Re: Kerberos Question
Date Thu, 13 Jul 2006 02:57:58 GMT
Richard Scott wrote:
> Yes, MIT is dropping support for Version 4 of Kerberos where DES was the 
> only algorithm supported.  While I know you are technically correct that 
> it is still available in KRB5, I thought they were attempting to 
> discourage its use.

I agree we should discourage its use, too.  We should document what the 
problems are with DES but for interop we'll need to continue supporting 
it.  We can discuss shipping with DES disabled, but I think it will 
cause user support problems.  In particular, the "Active Directory Users 
And Computers" management GUI has the option to choose DES over 
RC4-HMAC, so many people will enable DES there.

> When you say DES plays a key role in MS environments, I have to admit 
> I'm out of my comfort zone there.  Does MS not even support 3DES?   (I 
> know there was a "bruhaha" some time back when MS decided to "branch" 
> from MIT, but at the time I didn't care what MS did so didn't pay close 
> attention.)

What MS supports is worth watching as they historically add support with 
service packs.  Last I checked, 3DES came in Windows 2000 SP2, however 
it is only used in IPSec.  Microsoft took the stance some time ago that 
they would support interop "by the book" according to RFC 1510, which 
means only DES support.  I haven't heard anything further regarding RFC 
4120 support or new encryption types.

> Appreciate the offer to help steer me around the code, and I'm sure I'll 
> take advantage of the offer once I have a chance to look at it a bit more.

I recommend studying the MINA framework.  Once you understand the layout 
of a MINA server-side protocol, I think the Kerberos implementation will 
be much easier to understand, especially since you already have Kerberos 
knowledge.  In particular, look at MINA's IoHandlerChain's, as the 
Kerberos protocol provider is comprised of 3 chains, namely AS, TGS, and 
pre-auth chains which follow the "Gang of Four" Chain of Responsibility 
(CoR) pattern.

Also, the implementation was originally written straight off of the RFC 
1510 Appendix A's "Pseudo-code for protocol processing," [1] so a 
re-read there might help.  Many IoHandlerCommand's still follow the 
pseudocode quite closely.

As an added bonus, once you've got the basic layout of a MINA 
server-side protocol-provider figured out, you can follow it across DNS, 
  DHCP, Changepw, and NTP, as we've tried to keep all of them as similar 
as possible.  In fact, one possibility is to start with NTP, as it has 
the least code and thus the MINA parts will stand out more.



View raw message