Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC

Nicolas Williams Nicolas.Williams at sun.com
Tue May 16 17:03:50 EDT 2006


On Tue, May 16, 2006 at 04:01:11PM -0400, Jeff Blaine wrote:
> I'm confused, then, Nicolas.
> 
> As I read the output, there are 2 keys stored
> for these principals:
> 
>    1 using Triple DES cbc mode with HMAC/sha1
> 
>    1 using DES cbc mode with CRC-32
> 
> And the first matching enctype is supposed to be used,
> which would be des-cbc-crc (and des3-hmac-sha1 would
> not, as it is not common to the client and server.

What does kadmin -q "getprinc host/noodle.foo.com at JBTEST" say?

I bet the des3-hmac-sha1 key comes before the des-cbc-crc key.

That means that when the stock pam_krb5/mech_krb5 do a TGS-REQ to get a
service ticket [for the PAM_USER with host/noodle.foo.com at JBTEST as the
service principal name] with which to validate the user's TGT the ticket
will come back encrypted in host/noodle.foo.com at JBTEST's 3DES key
(because the KDC will select that long-term key because it's first in
the KDB entry), which, sadly, the Solaris 9 mech_krb5 doesn't support.

You could upgrade to Solaris 10 and get support for AES (in addition to
3DES and HMAC-RC4)...

Nico
-- 



More information about the Kerberos mailing list