Solaris ssh pam_krb

Russ Allbery rra at
Wed Mar 29 20:01:14 EST 2006

Ken Hornstein <kenh at> writes:

> As someone who spent years tracking down problems related to those damn
> lines in krb5.conf .... trust me when I say that you want to start
> removing those configuration options _now_.

Yeah, believe me, I know.

Cruise ship, momentum, small wheel, etc.  You know how it goes.  :)  Plus
you apparently *have* to specify the Heimdal equivalent so far as I can
tell to get Heimdal to see a principal in a keytab that contains a
des-cbc-crc key through the keytab searching functions used to obtain a
local ticket.  Accepting authenticated connections works fine, but kinit
from a keytab doesn't.

Hopefully it won't be too much longer before we don't care.  But I can't
really start pushing people to even *try* using new enctypes until summer
break.  At that point, I plan on pushing out new krb5.conf files that are
less restrictive about the enctypes that are happy.

Ditching single DES in K5 is scheduled for some time after turning off K4,
so it's going to be a bit yet.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list