Solaris ssh pam_krb
Nicolas Williams
Nicolas.Williams at sun.com
Wed Mar 29 00:06:05 EST 2006
On Tue, Mar 28, 2006 at 07:29:14PM -0800, Russ Allbery wrote:
> "Douglas E Engert" <deengert at anl.gov> writes:
> >> 4) /etc/krb5/krb5.conf is the standard one from campus and includes:
> >> default_tgs_enctypes = des-cbc-crc
> >> default_tkt_enctypes = des-cbc-crc
>
> > You may want to take these last two likes out, as it might be forcing to
> > only accept DES, even though the KDC and the client think it can do
> > better.
>
> That's the only thing that our KDC, right now, is going to be willing to
> do. That's changing slowly, but not yet for host/* principals.
Just because your principals only have 1DES long-term keys doesn't mean
that you need to set default_tgs_enctypes/default_tkt_enctypes; in fact,
you shouldn't. These parameters are intended to protect the client from
pre-autenticating using weak ciphers; 1DES being the weakest cipher
Kerberos V supports it really makes no sense to use these parameters in
your case.
Besides this you're almost certainly running into:
6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required
I've Cc'ed Will Fiveash, who's more familiar with that CR.
Nico
--
More information about the Kerberos
mailing list