On May 16, 2006, at 2:32 PM, [EMAIL PROTECTED] wrote:
Message: 9
Date: Tue, 16 May 2006 17:32:45 -0400
From: Jeff Blaine [EMAIL PROTECTED]
Subject: Re: Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC
To: kerberos@mit.edu
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO
On Thu, May 18, 2006 at 04:12:00PM -0700, Henry B. Hotz wrote:
On May 16, 2006, at 2:32 PM, [EMAIL PROTECTED] wrote:
On Heimdal you would normally create the entry and then delete the
unwanted encryption key types (if necessary). I think the mechanism
is different for Sun or MIT servers:
Silly question time: exactly where do you think your kdc.conf
is? I found a bunch of times that people would mistakenly
place it in /etc, ... You could use a system call tracer to
make sure it's reading the right file.
bash-2.05# truss -o /tmp/out kadmin.local -q getprinc
On May 17, 2006, at 16:42, Jeff Blaine wrote:
and the KDC would happily start up without reading it.
And this is... okay with everyone? *scratches head*
For the 1.5 release, we're changing direction a bit: The KDC programs
(krb5kdc, kadmind, kadmin.local but not kadmin, etc) will add
On Tue, May 16, 2006 at 06:40:29PM -0400, Jeff Blaine wrote:
Yes, MIT k5 1.4.3
The only Solaris piece I ever expect to use is pam_krb5.so
And secure NFS? (kgssapi/kmech_krb5, gssd/mech_krb5)
I've yet to touch/test Linux + K5, but it will be promptly
after I find most of the hiccups with
Has anyone gotten Solaris 9's sshd and pam_krb5.so
to work?
I can't seem to. I am told:
authentication failed: Bad encryption type
May 16 14:19:33 noodle.foo.com sshd[676]: [ID 537602 auth.error]
PAM-KRB5 (auth): krb5_verify_init_creds failed: Bad encryption type
However, MIT
Nicolas Williams wrote:
On Tue, May 16, 2006 at 02:23:16PM -0400, Jeff Blaine wrote:
authentication failed: Bad encryption type
bash-2.05# /export/home/krb5/sbin/ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
On Tue, May 16, 2006 at 02:23:16PM -0400, Jeff Blaine wrote:
authentication failed: Bad encryption type
bash-2.05# /export/home/krb5/sbin/ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
On Tue, May 16, 2006 at 03:10:04PM -0400, Jeff Blaine wrote:
Nicolas Williams wrote:
What does klist -ke /etc/krb5/krb5.keytab say?
bash-2.05# /export/home/krb5/bin/klist -ke /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
I'm confused, then, Nicolas.
As I read the output, there are 2 keys stored
for these principals:
1 using Triple DES cbc mode with HMAC/sha1
1 using DES cbc mode with CRC-32
And the first matching enctype is supposed to be used,
which would be des-cbc-crc (and des3-hmac-sha1 would
not, as
On Tue, May 16, 2006 at 04:01:11PM -0400, Jeff Blaine wrote:
I'm confused, then, Nicolas.
As I read the output, there are 2 keys stored
for these principals:
1 using Triple DES cbc mode with HMAC/sha1
1 using DES cbc mode with CRC-32
And the first matching enctype is supposed
Nicolas Williams wrote:
On Tue, May 16, 2006 at 04:01:11PM -0400, Jeff Blaine wrote:
I'm confused, then, Nicolas.
As I read the output, there are 2 keys stored
for these principals:
1 using Triple DES cbc mode with HMAC/sha1
1 using DES cbc mode with CRC-32
And the first matching
On Tuesday, May 16, 2006 05:32:45 PM -0400 Jeff Blaine
[EMAIL PROTECTED] wrote:
I guess this is what I want:
http://www.ietf.org/internet-drafts/draft-zhu-kerb-enctype-nego-04.txt
Actually, this doesn't help with your problem. The mechanism described in
that document allows a client and
On Tue, May 16, 2006 at 05:32:45PM -0400, Jeff Blaine wrote:
Nicolas Williams wrote:
What does kadmin -q getprinc host/[EMAIL PROTECTED] say?
I bet the des3-hmac-sha1 key comes before the des-cbc-crc key.
Yes, it does.
Well, that's it then. Switch to des-cbc-crc.
Yes, the krb5 team
On Tue, May 16, 2006 at 04:57:29PM -0500, Nicolas Williams wrote:
Hmmm, OK, this is complicated, and I'd rather not go into all these
details, but:
^
right now
Kerberos mailing list Kerberos@mit.edu
Yes, MIT k5 1.4.3
The only Solaris piece I ever expect to use is pam_krb5.so
I've yet to touch/test Linux + K5, but it will be promptly
after I find most of the hiccups with Solaris + MIT for
now. Then it's on to Cyrus IMAP integration and other
fun stuff.
Maybe I'm just sore about it, but
That seems a real shame -- Use 1DES in any homogenous
environment or you may really hurt yourself.
It's not actually _that_ bad, and you don't want to change your
supported_enctypes line. The only _crucial_ thing is that you
cannot have service keys on a system that it cannot handle. The
On Tuesday, May 16, 2006 06:40:29 PM -0400 Jeff Blaine
[EMAIL PROTECTED] wrote:
Yes, MIT k5 1.4.3
The only Solaris piece I ever expect to use is pam_krb5.so
I've yet to touch/test Linux + K5, but it will be promptly
after I find most of the hiccups with Solaris + MIT for
now. Then it's
And now, I cannot get kadmin.local to NOT make 3DES
keys. I have tried:
1. kdc_supported_enctypes = des-cbc-crc:normal
2. supported_enctypes = des-cbc-crc:normal
3. Both 1 and 2 at the same time
4. 1, 2, and 3 after restarting everything
5. Checked and rechecked that I am editing the
19 matches
Mail list logo