How to prevent getting rc4-hmac data

Paul W. Nelson nelson at
Fri Jan 31 17:11:29 EST 2003

And you can do that by changing the password (one time is all it takes).

This can be a problem with the Administrator account in AD, since that
account is created before the domain gets set up, and uses RC4.  Users added
after the domain gets set up should have a DES stored password and will work

Paul W. Nelson
Thursby Software Systems, Inc.

> From: Nicolas Williams <Nicolas.Williams at>
> Date: Fri, 31 Jan 2003 15:59:16 -0600
> To: "Neulinger, Nathan" <nneul at>
> Cc: krbdev at
> Subject: Re: How to prevent getting rc4-hmac data
> The ticket you're getting must have a DES session key, but the enc part
> of the ticket must be encrypted in rc4-hmac.  To prevent this make sure
> that your service principal has no rc4-hmac key in its AD entry.
> Cheers,
> Nico
> On Fri, Jan 31, 2003 at 03:55:48PM -0600, Neulinger, Nathan wrote:
>> I just started looking at re-deploying ssh with the gssapi patch
>> recently, and noticed that depending on how I got the
>> host/hostname at REALM ticket, it works or doesn't.
>> I'm running against a microsoft ADS kerberos server.
>> If I kinit, then run ssh, gssapi gets the host ticket, and it gets it as
>> rc4-hmac, and fails to connect to the remote ssh server.
>> If I kinit, then krb telnet to the remote host, then ssh, the telnet
>> gets the ticket, and it gets it as des-cbc-crc, and ssh connects just
>> fine.
>> I have:
>> [libdefaults]
>>         default_realm = UMR.EDU
>>         default_tgs_enctypes = des-cbc-crc
>>         default_tkt_enctypes = des-cbc-crc
>> in krb5.conf. Is there anything else that can be set (or code changed in
>> ssh client) to cause gssapi_krb to NOT get a rc4-hmac ticket?
>> -- Nathan
>> ------------------------------------------------------------
>> Nathan Neulinger                       EMail:  nneul at
>> University of Missouri - Rolla         Phone: (573) 341-4841
>> Computing Services                       Fax: (573) 341-4216
>> _______________________________________________
>> krbdev mailing list             krbdev at
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list