[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
preauth requires DES3 keys???
3@dewey:577 B# ktutil list
Version Type Principal
1 des-cbc-md5 host/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU
1 des-cbc-md4 host/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU
1 des-cbc-crc host/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU
1 des-cbc-md5 hprop/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU
1 des-cbc-md4 hprop/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU
1 des-cbc-crc hprop/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU
1 des-cbc-md5 kadmin/hprop@TEST5.ECE.CMU.EDU
1 des-cbc-md4 kadmin/hprop@TEST5.ECE.CMU.EDU
1 des-cbc-crc kadmin/hprop@TEST5.ECE.CMU.EDU
3@dewey:578 B# sh slave_hprop
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `host/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 3
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `host/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 2
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `host/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 1
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `hprop/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 3
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `hprop/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 2
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `hprop/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 1
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `kadmin/hprop@TEST5.ECE.CMU.EDU'
enctype: 7 :: 3
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `kadmin/hprop@TEST5.ECE.CMU.EDU'
enctype: 7 :: 2
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `kadmin/hprop@TEST5.ECE.CMU.EDU'
enctype: 7 :: 1
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `host/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 3
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `host/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 2
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `host/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 1
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `hprop/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 3
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `hprop/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 2
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `hprop/dewey.ece.cmu.edu@TEST5.ECE.CMU.EDU'
enctype: 7 :: 1
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `kadmin/hprop@TEST5.ECE.CMU.EDU'
enctype: 7 :: 3
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `kadmin/hprop@TEST5.ECE.CMU.EDU'
enctype: 7 :: 2
principal: `kadmin/hprop@TEST5.ECE.CMU.EDU' :: `kadmin/hprop@TEST5.ECE.CMU.EDU'
enctype: 7 :: 1
hprop: krb5_get_init_creds: Additional pre-authentication required
3@dewey:579 B#
The "principal:" and "enctype:" lines above are from some debugging printf()s
in lib/krb5/keytab.c:kt_compare().
The notable thing is that the only enctype searched for is des3-cbc-sha1.
This is something of a problem given that the current KDC database is
composed entirely of keys extracted from the kaserver.DB0 for the
test5.ece.cmu.edu cell... no way to stuff des3 keys in there. Shouldn't
there be some provision to fall back to other enctypes?
(Retaining the des3 keys isn't an option; well, it is for kadmin/hprop, but
what of host keys? I'm trying to *avoid* regenerating all the existing keys,
but rcmd.hostname keys converted to host/hostname.do.main keys would be
useless as this currently works.)
--
brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net
system administrator [WAY too many hats] allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering KF8NH
We are Linux. Resistance is an indication that you missed the point.