Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC

Nicolas Williams Nicolas.Williams at sun.com
Tue May 16 15:44:40 EDT 2006


On Tue, May 16, 2006 at 03:10:04PM -0400, Jeff Blaine wrote:
> Nicolas Williams wrote:
> > What does "klist -ke /etc/krb5/krb5.keytab" say?
> 
> bash-2.05# /export/home/krb5/bin/klist -ke /etc/krb5/krb5.keytab
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>     4 host/192.168.168.3 at JBTEST (Triple DES cbc mode with HMAC/sha1)
>     4 host/192.168.168.3 at JBTEST (DES cbc mode with CRC-32)
>     4 host/noodle.foo.com at JBTEST (Triple DES cbc mode with HMAC/sha1)
>     4 host/noodle.foo.com at JBTEST (DES cbc mode with CRC-32)
>     3 cvs/192.168.168.3 at JBTEST (Triple DES cbc mode with HMAC/sha1)
>     3 cvs/192.168.168.3 at JBTEST (DES cbc mode with CRC-32)
>     3 cvs/noodle.foo.com at JBTEST (Triple DES cbc mode with HMAC/sha1)
>     3 cvs/noodle.foo.com at JBTEST (DES cbc mode with CRC-32)
> bash-2.05#
> 
> > It's possible that your host principal has keys of enctypes other than
> > des-cbc-crc or des-cbc-md5 -- since those are the only enctypes that
> > Solaris 9 supports this would be a misconfiguration.

That's exactly it then.  Solaris 9 does not support the 3DES enctypes.

Change your host principal's keys to be only des-cbc-crc.

Nico
-- 



More information about the Kerberos mailing list