Nicolas Williams wrote: > On Tue, May 16, 2006 at 04:01:11PM -0400, Jeff Blaine wrote: >> I'm confused, then, Nicolas. >> >> As I read the output, there are 2 keys stored >> for these principals: >> >> 1 using Triple DES cbc mode with HMAC/sha1 >> >> 1 using DES cbc mode with CRC-32 >> >> And the first matching enctype is supposed to be used, >> which would be des-cbc-crc (and des3-hmac-sha1 would >> not, as it is not common to the client and server. > > What does kadmin -q "getprinc host/[EMAIL PROTECTED]" say? > > I bet the des3-hmac-sha1 key comes before the des-cbc-crc key.
Yes, it does. > That means that when the stock pam_krb5/mech_krb5 do a TGS-REQ to get a > service ticket [for the PAM_USER with host/[EMAIL PROTECTED] as the > service principal name] with which to validate the user's TGT the ticket > will come back encrypted in host/[EMAIL PROTECTED]'s 3DES key > (because the KDC will select that long-term key because it's first in > the KDB entry), which, sadly, the Solaris 9 mech_krb5 doesn't support. I guess this is what I want: http://www.ietf.org/internet-drafts/draft-zhu-kerb-enctype-nego-04.txt This helped just now though. What a mess. http://learningsolaris.com/docs/krb_enctypes_so10.pdf Looks like I'll redo my existing stuff to only ever allow 1DES enctype (boggles my mind) via 'supported_enctypes' in kdc.conf. That seems a real shame -- "Use 1DES in any homogenous environment or you may really hurt yourself." Sadly, it also doesn't appear one can remove just *one* enctype instance of a key (the 3DES one in my case). I'm glad I am finding all of this out now on a testbed machine :O > You could upgrade to Solaris 10 and get support for AES (in addition to > 3DES and HMAC-RC4)... Not an option. Thanks for your help, Nico and Doug. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
