Subject: Re: Kerberos: telnet to Solaris -> Bad encryption type
To: None <>
From: T. M. Pederson <>
List: tech-security
Date: 09/26/2005 07:05:01
Content-Type: text/plain; charset=us-ascii

On "Mon, 26 Sep 2005 05:58:39 +0200", Hubert Feyrer <> wrote:

>On Mon, 26 Sep 2005, Hubert Feyrer wrote:
>> 	[ Trying KERBEROS5 ... ]
>> 	[ Kerberos V5 refuses authentication because Kerberos checksum 
>> verification failed: Bad encryption type ]
>Playing a bit more, I found that on Solaris the command to list the keytab 
>file is:
> 	sol10# klist -k -e -t
> 	Keytab name: FILE:/etc/krb5/krb5.keytab
> 	KVNO Timestamp               Principal
> 	---- ----------------- ------------------------------------------------
> 	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (DES cbc mode with CRC-32)
>===>	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (etype 2)
> 	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (DES cbc mode with RSA-MD5)
> 	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (Triple DES cbc mode with H
>After removing that "etypes 2" (which on NetBSD is des-cbc-md4), using 
>"del_enctype host/sol10 des-cbc-md4" in "kadmin -l", exporting and moving 
>the new keytab file again (and verifying that it only contains three 
>etypes it knows), I the the same error, "Bad encryption type".

I vaguely recall running into this sort of thing back when Solaris 8 was new. 
IIRC, I solved part of it by setting enctypes by Realm in the Solaris 
krb5.conf. I no longer recall the details, though I think that particular box 
is sitting over in some corner (several km away) and just needs to be turned 
on to check....

Anyway, IIRC the keytab and krb5.conf (and only those two) need some tweaking 
to get all of this straightened out.

Content-Type: application/pgp-signature

Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.7.0 06/18/2004 (debian 1:2.7.0-4)