kfw & krb5 1.3.1

King Lung Chiu csklc at farrer.hpc.csiro.au
Mon Feb 9 01:46:45 EST 2004 

OK, here's a bit more info:

 $ export KRB5CCNAME=FILE:C:/cygwin/tmp/krb5ccwin;leash32 -m;klist -5 -e
 Ticket cache: FILE:C:/cygwin/tmp/krb5ccwin
 Default principal: chi145 at NEXUS.CSIRO.AU
 
 Valid starting     Expires            Service principal
 02/09/04 16:28:13  02/10/04 02:28:13  
 krbtgt/NEXUS.CSIRO.AU at NEXUS.CSIRO.AU
   renew until 02/16/04 16:28:13, Etype (skey, tkt): etype 0, ArcFour 
   with HMAC/md5 

It appears that no matter what I specify 'default_tkt_enctypes' 
and 'default_tgs_enctypes' to be in krb5.ini, leash32 / ms2mit always 
encrypts my ticket with arcfour-hmac-md5.

Is this a bug in kfw 2.5? If not, how do I make it encrypt the tgt with, 
say, des-cbc-crc? My current krb5.ini (in kf2's bin dir):

 ...
 [libdefaults]
  default_tkt_enctypes = des-cbc-crc des-cbc-md5 des-cbc-md4
  default_tgs_enctypes = des-cbc-crc des-cbc-md5 des-cbc-md4
  ...
 ...

any ideas? regards

King Lung Chiu


> On further testing, I get these errors when trying to renew the ms2mit tgt 
> (using 'kinit -R' from both krb5-1.3.1 and kfw 2.5):
> 
>  kinit(v5): No credentials found with supported encryption types while
>  renewing credentials
> 
> and with 'leash32 -r' I get a popup window with errors:
> 
>  No credentials found with supported encryption types
>  (Kerberos error 200)
> 
>  krb5_get_renewed_creds() failed
> 
> So I'm guessing ms2mit encrypts its tgt with an algo. not supported by 
> krb5-1.3.1? The weird thing is, even leash32 can't renew ms2mit's tgt.
> 
> And on checking the file sizes, I get:
> 
>  krb5's kinit tgt size: 2286 bytes
>  kfw's ms2mit tgt size: 1179 bytes
> 
> So any ideas?
> 
> thanks again, regards
> 
> King Lung Chiu
> 
> > Hi,
> > 
> > I'm testing out kerberised openssh on cygwin with both krb5 1.3.1 and kfw.
> > 
> > I can use krb5-1.3.1's kinit no problems, and the tgt allows passwordless 
> > ssh from cygwin to a linux machine.
> > 
> > But when I use tgt from kfw's ms2mit, passwordless ssh stops working (ie. 
> > it Basks for a password).
> > 
> > For kfw, I've set krb5.ini so it's the same as krb5.conf from my cygwin 
> > krb5 1.3.1 install. Before running ssh, I also set KRB5CCNAME so it points 
> > to the correct location (klist shows OK).
> > 
> > So my problem is tgt from krb5-1.3.1 is OK, but the tgt from ms2mit does 
> > not seem to work.
> > 
> > Any ideas? (please see below for the ssh -vvv output using the ms2mit tgt)
> > 
> > regards
> > 
> > King Lung Chiu
> > 
> > 
> > ...
> > debug1: Authentications that can continue: 
> > publickey,gssapi,password,keyboard-interactive
> > debug3: start over, passed a different list 
> > publickey,gssapi,password,keyboard-interactive
> > debug3: preferred gssapi,publickey,keyboard-interactive,password
> > debug3: authmethod_lookup gssapi
> > debug3: remaining preferred: publickey,keyboard-interactive,password
> > debug3: authmethod_is_enabled gssapi
> > debug1: Next authentication method: gssapi
> > debug2: we sent a gssapi packet, wait for reply
> > debug1: Miscellaneous failure
> > No credentials found with supported encryption types
> > 
> > debug1: Trying to start again
> > debug2: we sent a gssapi packet, wait for reply
> > debug1: Authentications that can continue: 
> > publickey,gssapi,password,keyboard-interactive
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred: keyboard-interactive,password
> > debug3: authmethod_is_enabled publickey
> > debug1: Next authentication method: publickey
> > debug1: Trying private key: /home/chi145/.ssh/identity
> > debug3: no such identity: /home/chi145/.ssh/identity
> > debug1: Trying private key: /home/chi145/.ssh/id_rsa
> > debug3: no such identity: /home/chi145/.ssh/id_rsa
> > debug1: Trying private key: /home/chi145/.ssh/id_dsa
> > debug3: no such identity: /home/chi145/.ssh/id_dsa
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup keyboard-interactive
> > debug3: remaining preferred: password
> > debug3: authmethod_is_enabled keyboard-interactive
> > debug1: Next authentication method: keyboard-interactive
> > debug2: userauth_kbdint
> > debug2: we sent a keyboard-interactive packet, wait for reply
> > debug2: input_userauth_info_req
> > debug2: input_userauth_info_req: num_prompts 1
> > Password: 
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
>

More information about the Kerberos mailing list