How to prevent getting rc4-hmac data

Nicolas Williams Nicolas.Williams at
Fri Jan 31 16:59:16 EST 2003

The ticket you're getting must have a DES session key, but the enc part
of the ticket must be encrypted in rc4-hmac.  To prevent this make sure
that your service principal has no rc4-hmac key in its AD entry.



On Fri, Jan 31, 2003 at 03:55:48PM -0600, Neulinger, Nathan wrote:
> I just started looking at re-deploying ssh with the gssapi patch
> recently, and noticed that depending on how I got the
> host/hostname at REALM ticket, it works or doesn't.
> I'm running against a microsoft ADS kerberos server.
> If I kinit, then run ssh, gssapi gets the host ticket, and it gets it as
> rc4-hmac, and fails to connect to the remote ssh server.
> If I kinit, then krb telnet to the remote host, then ssh, the telnet
> gets the ticket, and it gets it as des-cbc-crc, and ssh connects just
> fine.
> I have:
> [libdefaults]
>         default_realm = UMR.EDU
>         default_tgs_enctypes = des-cbc-crc
>         default_tkt_enctypes = des-cbc-crc
> in krb5.conf. Is there anything else that can be set (or code changed in
> ssh client) to cause gssapi_krb to NOT get a rc4-hmac ticket?
> -- Nathan
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul at
> University of Missouri - Rolla         Phone: (573) 341-4841
> Computing Services                       Fax: (573) 341-4216
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list