des_cbc_crc -> des_cbc_md5

yo timo bacolod85 at
Fri Apr 4 09:39:59 EST 2003

I read about the fact that crc is not collision-proof whereas md5 is.  Can anyone comment on the benefit of using md5 over crc for Kerberos keys?

If I set up my KDC's and all principals with des_cbc_crc keys but now desire to use des_cbc_md5 do I have to start from scratch?

I know 3des is better,  Unfortunately I'm dealing with devices that only support des.


Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and moreeFrom mattw at Fri Apr  4 09:58:43 2003
	by (8.12.8p1/8.12.8) with ESMTP id h34Ewhjc000707
	for <kerberos at>; Fri, 4 Apr 2003 09:58:43 -0500 (EST)
Received: from ( [])
	for <kerberos at>; Fri, 4 Apr 2003 09:58:42 -0500 (EST)
Received: from (
	by (Postfix) with ESMTP id C2CED279
	for <kerberos at>; Fri,  4 Apr 2003 09:58:41 -0500 (EST)
Received: by (Postfix, from userid 20937)
	id 8015311A9; Fri,  4 Apr 2003 09:58:50 -0500 (EST)
Date: Fri, 4 Apr 2003 09:58:49 -0500
From: Matthew Wronkowski <mattw at>
To: kerberos at
Message-ID: <20030404145849.GA3954 at>
Mail-Followup-To: kerberos at
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Operating-System: SunOS 5.9 (sun4u)
User-Agent: Mutt/1.5.3i
Subject: OpenSSH on Solaris 9 credential cache problem
X-BeenThere: kerberos at
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <>
List-Help: <mailto:kerberos-request at>
List-Post: <mailto:kerberos at>
List-Subscribe: <>,
	<mailto:kerberos-request at>
List-Archive: <>
List-Unsubscribe: <>,
	<mailto:kerberos-request at>
X-List-Received-Date: Fri, 04 Apr 2003 14:58:43 -0000

I'm seeing strange and annoying problem.  I have three Solaris 9 (sparc)
servers, two running OpenSSH_3.6.1p1, and one running 3.4p1.  On the two
servers running 3.6.1p1 if two concurrent ssh sessions are brought up, then one
is exited, the /tmp/krb5* file is removed and the user will have kinit in the 
remaining session.  The 3.4p1 server does not delete this file until the last
session is exited (as it should). Telnet to these machines also works fine.
I saw this issue in versions previous to 3.4. 

Has anyone had similar experiences?  I don't see a configuration difference in
sshd_config. Could it be a problem with PAM?

Matthew Wronkowski, CCNP

More information about the Kerberos mailing list