[35904] in Kerberos
Re: permitted_enctypes = "des-cbc-crc" triggers 'kinit: Generic
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Thu Mar 20 18:32:22 2014
Date: Thu, 20 Mar 2014 18:32:07 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Wendy Lin <wendlin1974@gmail.com>
In-Reply-To: <CA+j=ERoo0aqigxoAgkyZYfcgzgXssU3aRjfsozrmh0k1Cv6q9g@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1403201830470.21026@multics.mit.edu>
MIME-Version: 1.0
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 20 Mar 2014, Wendy Lin wrote:
> I have this in my Suse 11.3 /etc/krb.conf for libdefaults:
>
> allow_weak_crypto = true
> # permitted_enctypes = "des-cbc-crc arcfour-hmac des3-cbc-sha1
> aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96"
> permitted_enctypes = "des-cbc-crc"
>
> Now if I try to kinit I get this error:
>
> kinit
> kinit: Generic error (see e-text) while getting initial credentials
If your client is only trying to use des-cbc-crc (a bad idea, see RFC
6649) but the KDC does not have a key for your principal of that enctype,
attempting to get a ticket cannot succeed -- there is no key that both
parties will use to secure the communication.
-Ben Kaduk
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
