Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC

Jeff Blaine jblaine at kickflop.net
Tue May 16 16:01:11 EDT 2006


I'm confused, then, Nicolas.

As I read the output, there are 2 keys stored
for these principals:

   1 using Triple DES cbc mode with HMAC/sha1

   1 using DES cbc mode with CRC-32

And the first matching enctype is supposed to be used,
which would be des-cbc-crc (and des3-hmac-sha1 would
not, as it is not common to the client and server.

Nicolas Williams wrote:
> On Tue, May 16, 2006 at 03:10:04PM -0400, Jeff Blaine wrote:
>> Nicolas Williams wrote:
>>> What does "klist -ke /etc/krb5/krb5.keytab" say?
>> bash-2.05# /export/home/krb5/bin/klist -ke /etc/krb5/krb5.keytab
>> Keytab name: FILE:/etc/krb5/krb5.keytab
>> KVNO Principal
>> ---- 
>> --------------------------------------------------------------------------
>>     4 host/192.168.168.3 at JBTEST (Triple DES cbc mode with HMAC/sha1)
>>     4 host/192.168.168.3 at JBTEST (DES cbc mode with CRC-32)
>>     4 host/noodle.foo.com at JBTEST (Triple DES cbc mode with HMAC/sha1)
>>     4 host/noodle.foo.com at JBTEST (DES cbc mode with CRC-32)
>>     3 cvs/192.168.168.3 at JBTEST (Triple DES cbc mode with HMAC/sha1)
>>     3 cvs/192.168.168.3 at JBTEST (DES cbc mode with CRC-32)
>>     3 cvs/noodle.foo.com at JBTEST (Triple DES cbc mode with HMAC/sha1)
>>     3 cvs/noodle.foo.com at JBTEST (DES cbc mode with CRC-32)
>> bash-2.05#
>>
>>> It's possible that your host principal has keys of enctypes other than
>>> des-cbc-crc or des-cbc-md5 -- since those are the only enctypes that
>>> Solaris 9 supports this would be a misconfiguration.
> 
> That's exactly it then.  Solaris 9 does not support the 3DES enctypes.
> 
> Change your host principal's keys to be only des-cbc-crc.
> 
> Nico



More information about the Kerberos mailing list