OK, here's a bit more info: $ export KRB5CCNAME=FILE:C:/cygwin/tmp/krb5ccwin;leash32 -m;klist -5 -e Ticket cache: FILE:C:/cygwin/tmp/krb5ccwin Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 02/09/04 16:28:13 02/10/04 02:28:13 krbtgt/[EMAIL PROTECTED] renew until 02/16/04 16:28:13, Etype (skey, tkt): etype 0, ArcFour with HMAC/md5
It appears that no matter what I specify 'default_tkt_enctypes' and 'default_tgs_enctypes' to be in krb5.ini, leash32 / ms2mit always encrypts my ticket with arcfour-hmac-md5. Is this a bug in kfw 2.5? If not, how do I make it encrypt the tgt with, say, des-cbc-crc? My current krb5.ini (in kf2's bin dir): ... [libdefaults] default_tkt_enctypes = des-cbc-crc des-cbc-md5 des-cbc-md4 default_tgs_enctypes = des-cbc-crc des-cbc-md5 des-cbc-md4 ... ... any ideas? regards King Lung Chiu > On further testing, I get these errors when trying to renew the ms2mit tgt > (using 'kinit -R' from both krb5-1.3.1 and kfw 2.5): > > kinit(v5): No credentials found with supported encryption types while > renewing credentials > > and with 'leash32 -r' I get a popup window with errors: > > No credentials found with supported encryption types > (Kerberos error 200) > > krb5_get_renewed_creds() failed > > So I'm guessing ms2mit encrypts its tgt with an algo. not supported by > krb5-1.3.1? The weird thing is, even leash32 can't renew ms2mit's tgt. > > And on checking the file sizes, I get: > > krb5's kinit tgt size: 2286 bytes > kfw's ms2mit tgt size: 1179 bytes > > So any ideas? > > thanks again, regards > > King Lung Chiu > > > Hi, > > > > I'm testing out kerberised openssh on cygwin with both krb5 1.3.1 and kfw. > > > > I can use krb5-1.3.1's kinit no problems, and the tgt allows passwordless > > ssh from cygwin to a linux machine. > > > > But when I use tgt from kfw's ms2mit, passwordless ssh stops working (ie. > > it Basks for a password). > > > > For kfw, I've set krb5.ini so it's the same as krb5.conf from my cygwin > > krb5 1.3.1 install. Before running ssh, I also set KRB5CCNAME so it points > > to the correct location (klist shows OK). > > > > So my problem is tgt from krb5-1.3.1 is OK, but the tgt from ms2mit does > > not seem to work. > > > > Any ideas? (please see below for the ssh -vvv output using the ms2mit tgt) > > > > regards > > > > King Lung Chiu > > > > > > ... > > debug1: Authentications that can continue: > > publickey,gssapi,password,keyboard-interactive > > debug3: start over, passed a different list > > publickey,gssapi,password,keyboard-interactive > > debug3: preferred gssapi,publickey,keyboard-interactive,password > > debug3: authmethod_lookup gssapi > > debug3: remaining preferred: publickey,keyboard-interactive,password > > debug3: authmethod_is_enabled gssapi > > debug1: Next authentication method: gssapi > > debug2: we sent a gssapi packet, wait for reply > > debug1: Miscellaneous failure > > No credentials found with supported encryption types > > > > debug1: Trying to start again > > debug2: we sent a gssapi packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi,password,keyboard-interactive > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: keyboard-interactive,password > > debug3: authmethod_is_enabled publickey > > debug1: Next authentication method: publickey > > debug1: Trying private key: /home/chi145/.ssh/identity > > debug3: no such identity: /home/chi145/.ssh/identity > > debug1: Trying private key: /home/chi145/.ssh/id_rsa > > debug3: no such identity: /home/chi145/.ssh/id_rsa > > debug1: Trying private key: /home/chi145/.ssh/id_dsa > > debug3: no such identity: /home/chi145/.ssh/id_dsa > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup keyboard-interactive > > debug3: remaining preferred: password > > debug3: authmethod_is_enabled keyboard-interactive > > debug1: Next authentication method: keyboard-interactive > > debug2: userauth_kbdint > > debug2: we sent a keyboard-interactive packet, wait for reply > > debug2: input_userauth_info_req > > debug2: input_userauth_info_req: num_prompts 1 > > Password: > > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
