krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used causing sshd to fail

Douglas E. Engert deengert at
Wed Jun 30 15:17:31 EDT 2010

With Ubuntu Lucid, and AD 2008 as KDC, a service ticket can
be issued using AES 256, but the PAC server Checksum can be
using RC4.

sshd would then get a "Bad encryption type" message and fail.

This appears to be the situation as outlined in Example 2 in this blog:

Using a version of MIT 1.8 of gss-client and gss-server, I can reproduce this
problem on a Solaris 10 system, and indeed the service key enctype is 18 for
  AES 256, and the checksum type is CHECKSUM_TYPE_HMAC_MD5_ARCFOUR
See attached gdb output.

Any ideas on how to fix this for the long term, where AES is used and
a system may want to use the PAC?

For a system like Windows that stores the password and generates keys on
the fly this in not a big deal. For systems where keys are stored
separately this is a big deal, as it means you need to have two keys
to verify the PAC.

In my situation the PAC is not needed, so a circumvention is to
or not use AES, or as the blog suggests, if the msDS-SupportedEncryptionTypes
does not include RC4, it might use AES. (I have not tried this, yet
as RC4 is still the common enctype available on all our systems.)

The Solaris 10 provided Kerberos can use AES and does not have this problem,
as I don't think it is checking the PAC...


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cs.txt

More information about the krbdev mailing list