Solaris ssh pam_krb

Russ Allbery rra at
Wed Mar 29 00:09:05 EST 2006

Nicolas Williams <Nicolas.Williams at> writes:

> Just because your principals only have 1DES long-term keys doesn't mean
> that you need to set default_tgs_enctypes/default_tkt_enctypes; in fact,
> you shouldn't.

Oh, I agree!  I'm just saying that it's not going to help to change that.

> Besides this you're almost certainly running into:

> 6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required

No, we're almost certainly not.  :)  Believe me, none of our principals
have any des-cbc-md5 keys and never will.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list