Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC
Jeffrey Hutzelman
jhutz at cmu.edu
Tue May 16 17:44:04 EDT 2006
On Tuesday, May 16, 2006 05:32:45 PM -0400 Jeff Blaine
<jblaine at kickflop.net> wrote:
> I guess this is what I want:
>
> http://www.ietf.org/internet-drafts/draft-zhu-kerb-enctype-nego-04.txt
Actually, this doesn't help with your problem. The mechanism described in
that document allows a client and server to negotiate use of an enctype for
communications with each other even when that enctype is not supported by
the KDC.
The problem you're having is that the KDC believes your service supports
the des3-hmac-sha1 enctype, and so encrypts service tickets using that
enctype. By design, there is nothing a client can do to influence the
enctype used by the KDC to communicate with a service.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list