Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC
Nicolas Williams
Nicolas.Williams at sun.com
Tue May 16 15:44:40 EDT 2006
On Tue, May 16, 2006 at 03:10:04PM -0400, Jeff Blaine wrote:
> Nicolas Williams wrote:
> > What does "klist -ke /etc/krb5/krb5.keytab" say?
>
> bash-2.05# /export/home/krb5/bin/klist -ke /etc/krb5/krb5.keytab
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 4 host/192.168.168.3 at JBTEST (Triple DES cbc mode with HMAC/sha1)
> 4 host/192.168.168.3 at JBTEST (DES cbc mode with CRC-32)
> 4 host/noodle.foo.com at JBTEST (Triple DES cbc mode with HMAC/sha1)
> 4 host/noodle.foo.com at JBTEST (DES cbc mode with CRC-32)
> 3 cvs/192.168.168.3 at JBTEST (Triple DES cbc mode with HMAC/sha1)
> 3 cvs/192.168.168.3 at JBTEST (DES cbc mode with CRC-32)
> 3 cvs/noodle.foo.com at JBTEST (Triple DES cbc mode with HMAC/sha1)
> 3 cvs/noodle.foo.com at JBTEST (DES cbc mode with CRC-32)
> bash-2.05#
>
> > It's possible that your host principal has keys of enctypes other than
> > des-cbc-crc or des-cbc-md5 -- since those are the only enctypes that
> > Solaris 9 supports this would be a misconfiguration.
That's exactly it then. Solaris 9 does not support the 3DES enctypes.
Change your host principal's keys to be only des-cbc-crc.
Nico
--
More information about the Kerberos
mailing list