Solaris ssh pam_krb
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Mar 29 10:30:31 EST 2006
>>> 4) /etc/krb5/krb5.conf is the standard one from campus and includes:
>>> default_tgs_enctypes = des-cbc-crc
>>> default_tkt_enctypes = des-cbc-crc
>
>> You may want to take these last two likes out, as it might be forcing to
>> only accept DES, even though the KDC and the client think it can do
>> better.
>
>That's the only thing that our KDC, right now, is going to be willing to
>do. That's changing slowly, but not yet for host/* principals.
As someone who spent years tracking down problems related to those damn
lines in krb5.conf .... trust me when I say that you want to start
removing those configuration options _now_. 99.9% of the time you
don't need those options, and they're just going to cause you trouble
eventually. I never distributed a krb5.conf file with those options,
but somehow people out there ended up with those options in it, and it
caused us no end of problems when we ditched single-DES (I think some
ancient version of MIT Kerberos had those in a sample config file, so
people unwisely copied those into their config file because they used
the sample config file as a template it just got copied around over the
years because people "thought that they needed it").
You've already endured enough pain by having a lowercase realm name ...
do you really want more? :-)
--Ken
More information about the Kerberos
mailing list