Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC
Nicolas Williams
Nicolas.Williams at sun.com
Tue May 16 17:03:50 EDT 2006
On Tue, May 16, 2006 at 04:01:11PM -0400, Jeff Blaine wrote:
> I'm confused, then, Nicolas.
>
> As I read the output, there are 2 keys stored
> for these principals:
>
> 1 using Triple DES cbc mode with HMAC/sha1
>
> 1 using DES cbc mode with CRC-32
>
> And the first matching enctype is supposed to be used,
> which would be des-cbc-crc (and des3-hmac-sha1 would
> not, as it is not common to the client and server.
What does kadmin -q "getprinc host/noodle.foo.com at JBTEST" say?
I bet the des3-hmac-sha1 key comes before the des-cbc-crc key.
That means that when the stock pam_krb5/mech_krb5 do a TGS-REQ to get a
service ticket [for the PAM_USER with host/noodle.foo.com at JBTEST as the
service principal name] with which to validate the user's TGT the ticket
will come back encrypted in host/noodle.foo.com at JBTEST's 3DES key
(because the KDC will select that long-term key because it's first in
the KDB entry), which, sadly, the Solaris 9 mech_krb5 doesn't support.
You could upgrade to Solaris 10 and get support for AES (in addition to
3DES and HMAC-RC4)...
Nico
--
More information about the Kerberos
mailing list