How to prevent getting rc4-hmac data

Neulinger, Nathan nneul at umr.edu
Fri Jan 31 17:15:24 EST 2003 

We're just going to set the des-only flag on any host service princs,
that seems to correct it fine. Realized that setting it at client would
only help locally, not from outside installs. 

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Paul W. Nelson [mailto:nelson at thursby.com] 
> Sent: Friday, January 31, 2003 4:11 PM
> To: krbdev
> Subject: Re: How to prevent getting rc4-hmac data
> 
> 
> And you can do that by changing the password (one time is all 
> it takes).
> 
> This can be a problem with the Administrator account in AD, since that
> account is created before the domain gets set up, and uses 
> RC4.  Users added
> after the domain gets set up should have a DES stored 
> password and will work
> ok.
> 
> -- 
> Paul W. Nelson
> Thursby Software Systems, Inc.
> 
> > From: Nicolas Williams <Nicolas.Williams at sun.com>
> > Date: Fri, 31 Jan 2003 15:59:16 -0600
> > To: "Neulinger, Nathan" <nneul at umr.edu>
> > Cc: krbdev at mit.edu
> > Subject: Re: How to prevent getting rc4-hmac data
> > 
> > The ticket you're getting must have a DES session key, but 
> the enc part
> > of the ticket must be encrypted in rc4-hmac.  To prevent 
> this make sure
> > that your service principal has no rc4-hmac key in its AD entry.
> > 
> > Cheers,
> > 
> > Nico
> > 
> > On Fri, Jan 31, 2003 at 03:55:48PM -0600, Neulinger, Nathan wrote:
> >> I just started looking at re-deploying ssh with the gssapi patch
> >> recently, and noticed that depending on how I got the
> >> host/hostname at REALM ticket, it works or doesn't.
> >> 
> >> I'm running against a microsoft ADS kerberos server.
> >> 
> >> If I kinit, then run ssh, gssapi gets the host ticket, and 
> it gets it as
> >> rc4-hmac, and fails to connect to the remote ssh server.
> >> 
> >> If I kinit, then krb telnet to the remote host, then ssh, 
> the telnet
> >> gets the ticket, and it gets it as des-cbc-crc, and ssh 
> connects just
> >> fine.
> >> 
> >> I have:
> >> 
> >> [libdefaults]
> >>         default_realm = UMR.EDU
> >>         default_tgs_enctypes = des-cbc-crc
> >>         default_tkt_enctypes = des-cbc-crc
> >> 
> >> in krb5.conf. Is there anything else that can be set (or 
> code changed in
> >> ssh client) to cause gssapi_krb to NOT get a rc4-hmac ticket?
> >> 
> >> 
> >> 
> >> -- Nathan
> >> 
> >> ------------------------------------------------------------
> >> Nathan Neulinger                       EMail:  nneul at umr.edu
> >> University of Missouri - Rolla         Phone: (573) 341-4841
> >> Computing Services                       Fax: (573) 341-4216
> >> _______________________________________________
> >> krbdev mailing list             krbdev at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/krbdev
> > _______________________________________________
> > krbdev mailing list             krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

More information about the krbdev mailing list