OpenSSH GSSAPI gives "Cannot find ticket for requested realm"

Marcus Watts mdw at umich.edu
Thu Jun 3 15:47:04 EDT 2010 

> Date:    Thu, 03 Jun 2010 01:59:57 PDT
> To:      kerberos at mit.edu
> From:    Peter Waller <peter.waller at gmail.com>
> Subject: Re: OpenSSH GSSAPI gives "Cannot find ticket for requested realm"
> 
> Hi Simon,
...
> After some googling, I can't figure out how to get a list of valid
> enctypes to try. I tried a few enctypes I found by googling, but they
> all failed either locally (unrecognized enctype) or remotely
> (krb5_get_init_creds: KDC has no support for encryption type). Is
> there a simple way to get a list of valid enctypes?
> 
> Thanks in advance for any help,
> 
> - Peter

I'm not Simon, but I'm willing to take a stab at the questions
you asked "after some googling".

You don't say what command you used, or what error message you got.
Assuming you're using MIT kerberos, you are presumably using kadmin
and xst (ktadd).  ank and cpw also take -e and work similarly.

If you give these -e keytype, you might indeed get a mysterious error
message when the key type is "right".
	kadmin:  xst -e des-cbc-crc foobar
	ktadd: Invalid argument while parsing keysalts de
	kadmin:  
The string "de" here is a chewed up copy of the input key type.
1.8 will instead say "des".
Obviously it would be more helpful if it said
	kadmin:  xst -e des-cbc-crc foobar
	ktadd: Invalid or missing salt type in des-cbc-crc
	use "list_types" to see a list of valid keys and salts.
	kadmin:  

In fact, for all these, you have to always specify keytype salt tuples.
This is true even when making keytabs or using "-randkey".

So, correct usage:

xst -e aes256-cts:normal host/diamonddogs.ifs.umich.edu
xst -k /tmp/test.fun -e des3-cbc-sha1:normal,des-cbc-crc:normal test/fun

You may be able to use other punctuation than : ,
see use and implementation of krb5_string_to_keysalts() in
src/kadmin/cli/keytab.c src/lib/kadm5/str_conv.c
The man page partly explains this, sort of.

I don't know of any trivial way to get key types or salts listed.
Perhaps it should be in the man pages.  An option to kadmin to
list them would be even more useful, since it would reflect what's
actually built into the code.

For now, the list of key types is in src/lib/crypto/etypes.c
which goes into the library "k5crypto".
The list of salt types is in src/lib/krb5/krb/str_conv.c
which goes into the library "krb5".
So, on linux, if you don't have source handy,
strings -a /usr/lib/libk5crypto.so | egrep -e -
strings -2 -a /usr/lib/libkrb5.so | egrep -C 5 'normal|afs|special|afs3'

Note that some key types have aliases, the input keywords
are mixed with the output printable forms, and there's plenty
more to ignore.

Here's an approximate list of what you should see,
 keys
des-cbc-crc
des-cbc-md4
des-cbc-md5
des-hmac-sha1
des3-cbc-sha1
rc4-hmac
rc4-hmac-exp
aes128-cts
aes256-cts

 salt
normal
v4
norealm
onlyrealm
special
afs3

				- Marcus Watts

More information about the Kerberos mailing list