How to prevent getting rc4-hmac data

Neulinger, Nathan nneul at umr.edu
Fri Jan 31 17:06:33 EST 2003 

You know of any way to request des only from the client side with
gssapi? I can set the DES-only flag in AD if necessary, but have not yet
needed to.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Nicolas Williams [mailto:Nicolas.Williams at sun.com] 
> Sent: Friday, January 31, 2003 3:59 PM
> To: Neulinger, Nathan
> Cc: krbdev at mit.edu
> Subject: Re: How to prevent getting rc4-hmac data
> 
> 
> The ticket you're getting must have a DES session key, but 
> the enc part
> of the ticket must be encrypted in rc4-hmac.  To prevent this 
> make sure
> that your service principal has no rc4-hmac key in its AD entry.
> 
> Cheers,
> 
> Nico
> 
> On Fri, Jan 31, 2003 at 03:55:48PM -0600, Neulinger, Nathan wrote:
> > I just started looking at re-deploying ssh with the gssapi patch
> > recently, and noticed that depending on how I got the
> > host/hostname at REALM ticket, it works or doesn't.
> > 
> > I'm running against a microsoft ADS kerberos server.
> > 
> > If I kinit, then run ssh, gssapi gets the host ticket, and 
> it gets it as
> > rc4-hmac, and fails to connect to the remote ssh server.
> > 
> > If I kinit, then krb telnet to the remote host, then ssh, the telnet
> > gets the ticket, and it gets it as des-cbc-crc, and ssh 
> connects just
> > fine.
> > 
> > I have:
> > 
> > [libdefaults]
> >         default_realm = UMR.EDU
> >         default_tgs_enctypes = des-cbc-crc
> >         default_tkt_enctypes = des-cbc-crc
> > 
> > in krb5.conf. Is there anything else that can be set (or 
> code changed in
> > ssh client) to cause gssapi_krb to NOT get a rc4-hmac ticket?
> > 
> > 
> > 
> > -- Nathan
> > 
> > ------------------------------------------------------------
> > Nathan Neulinger                       EMail:  nneul at umr.edu
> > University of Missouri - Rolla         Phone: (573) 341-4841
> > Computing Services                       Fax: (573) 341-4216
> > _______________________________________________
> > krbdev mailing list             krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>

More information about the krbdev mailing list