How to prevent getting rc4-hmac data
Paul W. Nelson
nelson at thursby.com
Fri Jan 31 17:11:29 EST 2003
And you can do that by changing the password (one time is all it takes).
This can be a problem with the Administrator account in AD, since that
account is created before the domain gets set up, and uses RC4. Users added
after the domain gets set up should have a DES stored password and will work
Paul W. Nelson
Thursby Software Systems, Inc.
> From: Nicolas Williams <Nicolas.Williams at sun.com>
> Date: Fri, 31 Jan 2003 15:59:16 -0600
> To: "Neulinger, Nathan" <nneul at umr.edu>
> Cc: krbdev at mit.edu
> Subject: Re: How to prevent getting rc4-hmac data
> The ticket you're getting must have a DES session key, but the enc part
> of the ticket must be encrypted in rc4-hmac. To prevent this make sure
> that your service principal has no rc4-hmac key in its AD entry.
> On Fri, Jan 31, 2003 at 03:55:48PM -0600, Neulinger, Nathan wrote:
>> I just started looking at re-deploying ssh with the gssapi patch
>> recently, and noticed that depending on how I got the
>> host/hostname at REALM ticket, it works or doesn't.
>> I'm running against a microsoft ADS kerberos server.
>> If I kinit, then run ssh, gssapi gets the host ticket, and it gets it as
>> rc4-hmac, and fails to connect to the remote ssh server.
>> If I kinit, then krb telnet to the remote host, then ssh, the telnet
>> gets the ticket, and it gets it as des-cbc-crc, and ssh connects just
>> I have:
>> default_realm = UMR.EDU
>> default_tgs_enctypes = des-cbc-crc
>> default_tkt_enctypes = des-cbc-crc
>> in krb5.conf. Is there anything else that can be set (or code changed in
>> ssh client) to cause gssapi_krb to NOT get a rc4-hmac ticket?
>> -- Nathan
>> Nathan Neulinger EMail: nneul at umr.edu
>> University of Missouri - Rolla Phone: (573) 341-4841
>> Computing Services Fax: (573) 341-4216
>> krbdev mailing list krbdev at mit.edu
> krbdev mailing list krbdev at mit.edu
More information about the krbdev