Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC

Jeff Blaine jblaine at kickflop.net
Tue May 16 18:40:29 EDT 2006 

Yes, MIT k5 1.4.3

The only Solaris piece I ever expect to use is pam_krb5.so

I've yet to touch/test Linux + K5, but it will be promptly
after I find most of the hiccups with Solaris + MIT for
now.  Then it's on to Cyrus IMAP integration and other
fun stuff.

Maybe I'm just sore about it, but perhaps something should
be mentioned about this in the docs?  I can't really wrap
my head around how this bit me and there wasn't a pile of
of mailing list archive chatter by other people being
bitten (when I searched before posting...).  That is, I
don't see that I am doing anything rare here.  I'm trying
to use MIT K5 as a KDC in a homogenous environment.  Out
of the box, I got bit the first time I touched anything
that didn't come from MIT.  If nobody finds that bad,
so be it -- I'm not going to drag it out further.

And now, I cannot get kadmin.local to NOT make 3DES
keys.  I have tried:

1.  kdc_supported_enctypes = des-cbc-crc:normal
2.  supported_enctypes = des-cbc-crc:normal
3.  Both 1 and 2 at the same time
4.  1, 2, and 3 after restarting everything
5.  Checked and rechecked that I am editing the
     only kdc.conf on my entire box (find ...)
6.  Checked and rechecked that I am using my
     MIT distribution in /export/home/krb5 for
     all commands
7.  kdc_supported_enctypes = des-cbc-crc
8.  supported_enctypes = des-cbc-crc
9.  7 and 8 at the same time

And even throwing the krb5.conf key-related options into
/etc/krb5.conf

No dice.  It appears to be blindly ignoring everything
EXCEPT '-e des-crc-cbc:normal' as part of ktadd (which I
should not have to do when set up this way).

Here's a bug, too :)

   kadmin.local:  ktadd -e des-cbc-crc host/noodle.foo.com
   ktadd: Invalid argument while parsing keysalts de

                                                  ^^ ????

This is about the time I start getting really worried.

Worried that either I am *really* stupid, or... wow :(

> Perhaps we need to get this behaviour into MIT krb5, since you're using
> it alongside Solaris' krb5 support.  I assume you're using MIT's KDC
> software.

Above - and I think that's a great idea.

More information about the Kerberos mailing list