[Freeipa-users] Kerberos and Cisco
Petr Spacek
pspacek at redhat.com
Thu Jan 3 11:57:57 UTC 2013
On 12/23/2012 07:31 PM, Simo Sorce wrote:
> On Fri, 2012-12-21 at 18:23 -0500, Dmitri Pal wrote:
>> On 12/21/2012 05:40 PM, Mike Mercier wrote:
>>> Hi Bret,
>>>
>>>
>>> I tried this once in the past with no success. If I recall
>>> correctly (I can't find the reference anymore), Cisco (at least in
>>> IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This
>>> enctype disabled by default in FreeIPA.
>>
>> allow_weak_crypto = true
>>
>> in krb5.conf to enable it.
>
> These instructions are relevant only for a Linux based client.
>
> Bret,
> on top of changing the above on the server and restarting it,
> you need to add DES as an allowed enctype in the IPA server LDAP
> attribute that controls it(*) as well as explicitly specify you want a
> DES key when you use ipa-getkeytab to get a keytab for you device.
>
>
> (*) This attribute is called krbSupportedEncSaltTypes and is stored in
> cn=<REALM>,cn=kerberos,cn=<suffix> in your LDAP server.
>
> You probably want to add the value: des-cbc-crc:normal
I would add: DES + CRC is considered insecure, weight it in your use case
carefully.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list