MIT Kerberos and Solaris 10 Kerberos

Wyllys Ingersoll wyllys.ingersoll at sun.com
Tue Jan 11 14:11:29 EST 2005 

Heilke, Rainer wrote:

>>You indicated below that you are using and MIT kerberos KDC on the
>>Solaris 8 systems.  So, the key to making things work with the S8
>>SEAM kerberos clients is to make sure that the host principals
>>for those Solaris 8 systems are only issued DES keys.   The rlogin
>>servers in SEAM only support DES since that is all that was
>>available when the S8 SEAM packages were created.
>>
>>'kadmin -q 'addprinc -e des-cbc-md5:normal host/foo.bar.com"'
>>'kadmin -q 'ktadd -e des-cbc-md5:normal host/foo.bar.com"'
>>
>>(Im not sure if the syntax for those commands is exactly correct,
>>but you get the idea).
>>
>>Solaris 10 systems can be issued AES keys (AES-128 if the encryption
>>package is not installed, AES-256 otherwise) or RC4, 3DES, or DES.
> 
> 
> Can we force the Sol10 box to only use DES, to be compatible with the
> Sol8/MIT systems (which is everything but the one Sol10 box)?

If you are using MIT Kerberos on the Solaris 8 systems (including
pam_krb5 made for MIT, not the one that comes with SEAM), then
you should not worry about the enctypes because MIT already
supports all of the enctypes that S10 supports.

The only time you need to worry about enctypes is when you
are using pre-S10 systems with SEAM apps.  IN that situation,
ONLY the pre-solaris 10 systems need to have the DES keys,
it is perfectly acceptable for the S10 systems to have AES
and S8/S9 to have DES.   This should not affect interop if
your keytabs are correctly populated on the pre-S10 boxes.


>>
>>We have tested this and it does work, but you have to make sure
>>that the S8 system has only DES keys.
> 
> 
> All Solaris 8 systems are MIT, so if I understood your earlier comments,
> they already are DES; is that correct?
> 

Not necessarily.    If your S8 systems are MIT, then you don't
really need to worry much about the enctype support because
MIT has support for all enctypes (DES through AES-256).

You may run into problems if you try and mix/match the S8 SEAM
apps with S8 MIT stuff.   For example, the dtlogin problem
you mentioned - if dtlogin is using the SEAM pam_krb5 library,
then you must make sure that the host principals on that
S8 system have only DES keys.

If you use a 3rd party pam_krb5 library that links with MIT
Kerberos, then you should not have any enctype issues on
Solaris 8.

You may be seeing problems on your S8 systems because
you have a mixture of MIT Kerberos apps (with full enctype
support) and S8/SEAM Kerberos apps (which only support DES).


-Wyllys

More information about the Kerberos mailing list