tech-security: Re: Kerberos: telnet to Solaris -> Bad encryption type

Subject: Re: Kerberos: telnet to Solaris -> Bad encryption type
To: None <tech-security@NetBSD.org>
From: T. M. Pederson <tmp@glasseye.bag.plethora.net>
List: tech-security
Date: 09/26/2005 07:05:01

--==_Exmh_1127736301_26574P
Content-Type: text/plain; charset=us-ascii

On "Mon, 26 Sep 2005 05:58:39 +0200", Hubert Feyrer <hubert@feyrer.de> wrote:

>
>On Mon, 26 Sep 2005, Hubert Feyrer wrote:
>> 	[ Trying KERBEROS5 ... ]
>> 	[ Kerberos V5 refuses authentication because Kerberos checksum 
>> verification failed: Bad encryption type ]
>
>Playing a bit more, I found that on Solaris the command to list the keytab 
>file is:
>
> 	sol10# klist -k -e -t
> 	Keytab name: FILE:/etc/krb5/krb5.keytab
> 	KVNO Timestamp               Principal
> 	---- ----------------- ------------------------------------------------
>---------
> 	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (DES cbc mode with CRC-32)
>===>	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (etype 2)
> 	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (DES cbc mode with RSA-MD5)
> 	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (Triple DES cbc mode with H
>MAC/sha1)
>
>After removing that "etypes 2" (which on NetBSD is des-cbc-md4), using 
>"del_enctype host/sol10 des-cbc-md4" in "kadmin -l", exporting and moving 
>the new keytab file again (and verifying that it only contains three 
>etypes it knows), I the the same error, "Bad encryption type".
>:(

I vaguely recall running into this sort of thing back when Solaris 8 was new. 
IIRC, I solved part of it by setting enctypes by Realm in the Solaris 
krb5.conf. I no longer recall the details, though I think that particular box 
is sitting over in some corner (several km away) and just needs to be turned 
on to check....

Anyway, IIRC the keytab and krb5.conf (and only those two) need some tweaking 
to get all of this straightened out.



--==_Exmh_1127736301_26574P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.7.0 06/18/2004 (debian 1:2.7.0-4)

iQEVAwUBQzfj7YspvTfW+oOaAQL/qgf/WaeQnHlwHuvrRjYhZXBM5dkdJ7uAaVTy
FCzIF2qcFLu3fEegk2ABaIK7CGN8eZzSGKphyC0ftNk6aTMXKONO3E2emySSJsym
BVbFMaalBlrUeMg66bA8A3X3/1udryGDQDulCVdCT4/4jv9ngODr1UzGEPBho9Et
Ev6csFrnNzGLLFH7aFo0TkbArwmaD0FSlqX22wmp/BePGv5TYoZoGIjfCEYAcRQ3
URoa9kvobxWH+9iuIkmZBnTfC6D5W5Ot3vmSfQmoYo+8Sx9IikFcU6JaC8sgCuPZ
zBfTXpdn07PH0dus4gKfjazIhbCp4JNSK0eJkdcn7pDus/7G9pfArw==
=eJaf
-----END PGP SIGNATURE-----

--==_Exmh_1127736301_26574P--