[35907] in Kerberos

home help back first fref pref prev next nref lref last post

Re: permitted_enctypes = "des-cbc-crc" triggers 'kinit: Generic error

daemon@ATHENA.MIT.EDU (=?KOI8-R?B?z8zYx8Egy9LZ1sHOz9fTy8H)
Fri Mar 21 06:16:53 2014

MIME-Version: 1.0
In-Reply-To: <alpine.GSO.1.10.1403201830470.21026@multics.mit.edu>
Date: Fri, 21 Mar 2014 11:16:31 +0100
Message-ID: <CA+OH3v3Fk1O6No=okdx+rTbHfohN7cr_B1z6S+xxXKvdx5mb_g@mail.gmail.com>
From: =?KOI8-R?B?z8zYx8Egy9LZ1sHOz9fTy8HR?= <olga.kryzhanovska@gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Plain des-cbc-crc only authentication doesn't seem to be supported, any more:

$ kadmin
Authenticating as principal root/admin@MINIPAX.TERRORONWAR.ORG with password.
kadmin: KDC has no support for encryption type while initializing
kadmin interface

Olga

On Thu, Mar 20, 2014 at 11:32 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> On Thu, 20 Mar 2014, Wendy Lin wrote:
>
>> I have this in my Suse 11.3 /etc/krb.conf for libdefaults:
>>
>>        allow_weak_crypto = true
>> #       permitted_enctypes = "des-cbc-crc arcfour-hmac des3-cbc-sha1
>> aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96"
>>        permitted_enctypes = "des-cbc-crc"
>>
>> Now if I try to kinit I get this error:
>>
>> kinit
>> kinit: Generic error (see e-text) while getting initial credentials
>
> If your client is only trying to use des-cbc-crc (a bad idea, see RFC
> 6649) but the KDC does not have a key for your principal of that enctype,
> attempting to get a ticket cannot succeed -- there is no key that both
> parties will use to secure the communication.
>
> -Ben Kaduk
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



-- 
      ,   _                                    _   ,
     { \/`o;====-    Olga Kryzhanovska   -====;o`\/ }
.----'-/`-/     olga.kryzhanovska@gmail.com   \-`\-'----.
 `'-..-| /       http://twitter.com/fleyta     \ |-..-'`
      /\/\     Solaris/BSD//C/C++ programmer   /\/\
      `--`                                      `--`
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post