NetBSD Problem Report #51177

From bjjl@db.qwabbl.com  Sun May 29 07:32:57 2016
Return-Path: <bjjl@db.qwabbl.com>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id B08957A477
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 29 May 2016 07:32:57 +0000 (UTC)
Message-Id: <20160529073255.57B912CAE3@db.qwabbl.com>
Date: Sun, 29 May 2016 09:32:55 +0200 (CEST)
From: netbsd@benjaminlorenz.email
To: gnats-bugs@NetBSD.org
Subject: Kerberos still supported?
X-Send-Pr-Version: 3.95

>Number:         51177
>Category:       security
>Synopsis:       Kerberos still supported?
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    security-officer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 29 07:35:00 +0000 2016
>Originator:     Benjamin Lorenz
>Release:        NetBSD 7.99.29
>Organization:

>Environment:


System: NetBSD db.qwabbl.com 7.99.29 NetBSD 7.99.29 (GENERIC) #0: Sat May 28 13:42:23 CEST 2016 root@db.qwabbl.com:/usr/obj/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
Trying to get Kerberos running according to documentation at 
http://www.netbsd.org/docs/network/#kerberos.

Encryption part does not seem to go well:

bjjl@db:~$ cat /etc/krb5.conf 
[libdefaults]
        default_realm = QWABBL.COM
        allow_weak_crypto = true
[realms]
        QWABBL.COM = {
                        kdc = db.qwabbl.com
                        admin_server = db.qwabbl.com
        }


bjjl@db:~$ telnet -ax db.qwabbl.com
Trying 2001:19f0:6c00:9703:5400:ff:fe16:fb7...
Connected to db.qwabbl.com.
Escape character is '^]'.
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (KDC has no support for encryption type)
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (KDC has no support for encryption type)
Trying SRA secure login:
User (bjjl): 

Disabling weak crypto in the config file leads to

bjjl@db:~$ telnet -ax db.qwabbl.com
Trying 2001:19f0:6c00:9703:5400:ff:fe16:fb7...
Connected to db.qwabbl.com.
Escape character is '^]'.
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (encryption type des-cbc-crc is disabled)
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (encryption type des-cbc-crc is disabled)
Trying SRA secure login:
User (bjjl): 

There is a trick, or just no real support (anymore) for Kerberos?

Looking at /usr/src/crypto/TODO (from 2006!) I get the feeling I should
leave Kerberos at NetBSD alone? Please advise.

If we really don't support this code anymore, we should IMHO remove it.


>How-To-Repeat:

>Fix:


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.