Solaris ssh pam_krb

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Mar 29 10:30:31 EST 2006


>>> 4) /etc/krb5/krb5.conf is the standard one from campus and includes:
>>>     default_tgs_enctypes  = des-cbc-crc
>>>     default_tkt_enctypes  = des-cbc-crc
>
>> You may want to take these last two likes out, as it might be forcing to
>> only accept DES, even though the KDC and the client think it can do
>> better.
>
>That's the only thing that our KDC, right now, is going to be willing to
>do.  That's changing slowly, but not yet for host/* principals.

As someone who spent years tracking down problems related to those damn
lines in krb5.conf .... trust me when I say that you want to start
removing those configuration options _now_.  99.9% of the time you
don't need those options, and they're just going to cause you trouble
eventually.  I never distributed a krb5.conf file with those options,
but somehow people out there ended up with those options in it, and it
caused us no end of problems when we ditched single-DES (I think some
ancient version of MIT Kerberos had those in a sample config file, so
people unwisely copied those into their config file because they used
the sample config file as a template it just got copied around over the
years because people "thought that they needed it").

You've already endured enough pain by having a lowercase realm name ...
do you really want more? :-)

--Ken



More information about the Kerberos mailing list