Solaris ssh pam_krb "bad encryption type"

Fletcher Cocquyt fcocquyt at
Tue Mar 28 16:28:00 EST 2006


I am attempting to get our Solaris 9 and 10 servers to use campus kdc for ssh 

I want to end up with a "cookbook" of step by step instructions on how to 
convert a fresh install of Solaris to kerberized ssh.

Currently I am trying to make it work with Sun's pam_krb linked to Sun's 
kerberos. I am using the latest openssh4.3 and openssl0.9.8a (preferred because
 they will keep more up to date than Sun's patches)

I have:
1) Placed my krb5.keytab in /etc/krb5/krb5.keytab:
# klist -e -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
   5 host/ at (DES cbc mode with CRC-32)  
2) configured openssh via /etc/ssh/sshd_config
UsePAM yes
3) configured /etc/pam.conf
sshd auth sufficient
sshd auth required debug
4) /etc/krb5/krb5.conf is the standard one from campus and includes:
    default_tgs_enctypes  = des-cbc-crc
    default_tkt_enctypes  = des-cbc-crc

I am currently getting SUCCESS on krb auth, then "bad encrytion type" in

Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 549540 auth.debug] PAM-KRB5 (auth):

attempt_krb5_auth: start: user='fcocquyt'
Mar 22 11:25:02 HOSTNAME sshd[8392]: [ID 179272 auth.debug] PAM-KRB5 (auth):

attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS Mar 22 11:25:02
 HOSTNAME sshd[8392]: [ID 537602 auth.error] PAM-KRB5 (auth):
krb5_verify_init_creds failed: Bad encryption type 

I am almost ready to give up on Sun's pam_krb and kerberos - (I've compiled the
 latest kerberos from MIT and stowed it in /usr/local) - but the pam_krb source 
I found on sourceforge looks SOOOOOOOO out of date....

Can anyone advise how to proceed - whether Sun's pam_krb will work, or how to 
get a pam_krb working from RedHat's source rpms?

Any help would be appreciated!

Many thanks,


More information about the krbdev mailing list