Solaris ssh pam_krb

Nicolas Williams Nicolas.Williams at
Wed Mar 29 00:06:05 EST 2006

On Tue, Mar 28, 2006 at 07:29:14PM -0800, Russ Allbery wrote:
> "Douglas E Engert" <deengert at> writes:
> >> 4) /etc/krb5/krb5.conf is the standard one from campus and includes:
> >>     default_tgs_enctypes  = des-cbc-crc
> >>     default_tkt_enctypes  = des-cbc-crc
> > You may want to take these last two likes out, as it might be forcing to
> > only accept DES, even though the KDC and the client think it can do
> > better.
> That's the only thing that our KDC, right now, is going to be willing to
> do.  That's changing slowly, but not yet for host/* principals.

Just because your principals only have 1DES long-term keys doesn't mean
that you need to set default_tgs_enctypes/default_tkt_enctypes; in fact,
you shouldn't.  These parameters are intended to protect the client from
pre-autenticating using weak ciphers; 1DES being the weakest cipher
Kerberos V supports it really makes no sense to use these parameters in
your case.

Besides this you're almost certainly running into:

6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required

I've Cc'ed Will Fiveash, who's more familiar with that CR.


More information about the Kerberos mailing list