Simon Josefsson <[email protected]> writes: > I suspect the problem is that MIT/Heimdal is somehow expecting/requiring > that DES keys are available, which I haven't added. I don't understand > why MIT/Heimdal doesn't use AES for everything except a DES sub-session > key. I'll see if adding DES keys for the krbtgt and/or host and/or user > will help.
Interestingly, the MIT telnet client is not trying to get any host keys. Thus it must be failing as soon as it sees a AES ticket for the user, or perhaps more likely, it fails as soon as it doesn't see a DES ticket. I'm able to get a DES3 ticket using kinit (although telnet fails the same way as with an AES key), but I'm not able to get a DES ticket using kinit, error message is: jas@latte:~$ kinit [email protected] kinit: No supported encryption types (config file error?) while getting initial credentials jas@latte:~$ There is no traffic to the KDC here. Most likely, I have misunderstood the MIT configuration file here. I'm adding these to /etc/krb5.conf: default_tgs_enctypes = des-cbc-md5 default_tkt_enctypes = des-cbc-md5 permitted_enctypes = des-cbc-md5 Setting up a MIT/Heimdal telnetd may reveal some more details. /Simon
