Solaris ssh pam_krb

Will Fiveash William.Fiveash at
Wed Mar 29 15:52:05 EST 2006

On Tue, Mar 28, 2006 at 09:09:05PM -0800, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at> writes:
> > Just because your principals only have 1DES long-term keys doesn't mean
> > that you need to set default_tgs_enctypes/default_tkt_enctypes; in fact,
> > you shouldn't.
> Oh, I agree!  I'm just saying that it's not going to help to change that.
> > Besides this you're almost certainly running into:
> > 6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required
> No, we're almost certainly not.  :)  Believe me, none of our principals
> have any des-cbc-md5 keys and never will.

I've been talking to the Sun Support person who is handling this case.
The krb-diag script run on the Solaris system shows that kinit is able
to fetch a TGT using the host service princ. in the keytab so this
aspect of login auth is working.  After looking at the krb-diag output,
I have made some of the same recommendations to the Support person as
found in this thread.  I suggest the Stanford folks continue to work
with Sun Support and hopefully this problem will be resolved soon.

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the Kerberos mailing list