How to prevent getting rc4-hmac data

Neulinger, Nathan nneul at
Fri Jan 31 16:55:48 EST 2003

I just started looking at re-deploying ssh with the gssapi patch
recently, and noticed that depending on how I got the
host/hostname at REALM ticket, it works or doesn't.

I'm running against a microsoft ADS kerberos server.

If I kinit, then run ssh, gssapi gets the host ticket, and it gets it as
rc4-hmac, and fails to connect to the remote ssh server.

If I kinit, then krb telnet to the remote host, then ssh, the telnet
gets the ticket, and it gets it as des-cbc-crc, and ssh connects just

I have:

        default_realm = UMR.EDU
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc

in krb5.conf. Is there anything else that can be set (or code changed in
ssh client) to cause gssapi_krb to NOT get a rc4-hmac ticket?

-- Nathan

Nathan Neulinger                       EMail:  nneul at
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216

More information about the krbdev mailing list