[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cisco enctypes trouble

Jakob Schlyter <jakob@cdg.chalmers.se> writes:
> 1. Plain 'kinit' gets a des3-cbc-sha1 TGT which does not work with cisco.

So the problem here is that some servers only support a subset of the
encryption types.  There are (at least) two ways of dealing with this:

a. let the client decide what kind of etype to request
b. only store keys for the support etypes in the databases

To my mind, solution a) is inflexible, you might have different telnet
servers which should be treated differently.  (You could of course
have lots of lines in krb5.conf to configure that, but...)  That
leaves us with b) and that's the solution that we're trying to get
working.  So in this case I would suggest just having a des-cbc-crc
key for `host/my-cisco-router'.  (I know the UI for this is kind of
suboptimal.)  If there only is a `des-cbc-crc' key, kinit should still
get a des3-cbc-sha1 ticket for `krbtgt/REALM@REALM' but only a
`des-cbc-crc' key for `host/my-cisco-router'.  Can you try doing that
and see if it just works for you?

If you do, I might implement a better command in `kadmin'. :-)

> Should I (as a kerberos user, not as the kerberos admin) really have
> to care about this?