Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC

Nicolas Williams Nicolas.Williams at sun.com
Wed May 17 18:09:36 EDT 2006 

On Tue, May 16, 2006 at 06:40:29PM -0400, Jeff Blaine wrote:
> Yes, MIT k5 1.4.3
> 
> The only Solaris piece I ever expect to use is pam_krb5.so

And secure NFS?  (kgssapi/kmech_krb5, gssd/mech_krb5)

> I've yet to touch/test Linux + K5, but it will be promptly
> after I find most of the hiccups with Solaris + MIT for
> now.  Then it's on to Cyrus IMAP integration and other
> fun stuff.

Would you consider running a Solaris 10 KDC?

> Maybe I'm just sore about it, but perhaps something should
> be mentioned about this in the docs?

Which part?  That Solaris 9 only supports the Kerberos V 1DES enctypes
should be clear from the krb5.conf man page.

As for the Solaris 10 kadmind heuristic I described, I'm not sure where
that's documented.  I'll find out.

>                                       I can't really wrap
> my head around how this bit me and there wasn't a pile of
> of mailing list archive chatter by other people being
> bitten (when I searched before posting...).  That is, I
> don't see that I am doing anything rare here.

You're mixing two Kerberos V implementations on the same host.  This is
not so rare for Solaris 8 and 9 systems, actually, but when one does
this one should be careful about possibly disjoint feature sets of the
two implementations.

>                                                I'm trying
> to use MIT K5 as a KDC in a homogenous environment.  Out
> of the box, I got bit the first time I touched anything
> that didn't come from MIT.  If nobody finds that bad,
> so be it -- I'm not going to drag it out further.

See above.

> And now, I cannot get kadmin.local to NOT make 3DES
> keys.  I have tried:

The MIT and Solaris 10 kadmin/kadmin.local have a -e option to ktadd
that you should use.  The enctype names include a salt type (for your
purposes always ":normal").

That the salt type is not optional is just awful, IMO.

> No dice.  It appears to be blindly ignoring everything
> EXCEPT '-e des-crc-cbc:normal' as part of ktadd (which I
> should not have to do when set up this way).
> 
> Here's a bug, too :)
> 
>    kadmin.local:  ktadd -e des-cbc-crc host/noodle.foo.com
>    ktadd: Invalid argument while parsing keysalts de
> 
>                                                   ^^ ????
> 
> This is about the time I start getting really worried.

As has been pointed out you didn't include the ":normal" (though you
included it in your e-mail).

> Worried that either I am *really* stupid, or... wow :(

No, the interface isn't very friendly.

> > Perhaps we need to get this behaviour into MIT krb5, since you're using
> > it alongside Solaris' krb5 support.  I assume you're using MIT's KDC
> > software.
> 
> Above - and I think that's a great idea.

I'll file a report in the MIT krb5 RT.

Nico
--

More information about the Kerberos mailing list