How to prevent getting rc4-hmac data
Nicolas Williams
Nicolas.Williams at sun.com
Fri Jan 31 16:59:16 EST 2003
The ticket you're getting must have a DES session key, but the enc part
of the ticket must be encrypted in rc4-hmac. To prevent this make sure
that your service principal has no rc4-hmac key in its AD entry.
Cheers,
Nico
On Fri, Jan 31, 2003 at 03:55:48PM -0600, Neulinger, Nathan wrote:
> I just started looking at re-deploying ssh with the gssapi patch
> recently, and noticed that depending on how I got the
> host/hostname at REALM ticket, it works or doesn't.
>
> I'm running against a microsoft ADS kerberos server.
>
> If I kinit, then run ssh, gssapi gets the host ticket, and it gets it as
> rc4-hmac, and fails to connect to the remote ssh server.
>
> If I kinit, then krb telnet to the remote host, then ssh, the telnet
> gets the ticket, and it gets it as des-cbc-crc, and ssh connects just
> fine.
>
> I have:
>
> [libdefaults]
> default_realm = UMR.EDU
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
>
> in krb5.conf. Is there anything else that can be set (or code changed in
> ssh client) to cause gssapi_krb to NOT get a rc4-hmac ticket?
>
>
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: nneul at umr.edu
> University of Missouri - Rolla Phone: (573) 341-4841
> Computing Services Fax: (573) 341-4216
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the krbdev
mailing list