[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5_verify_user requires single-DES host key in keytab?

On Sun, Jul 29, 2007 at 05:12:32PM +0200, Love H?rnquist ?strand wrote:
> Setting the following in krb5.conf on the kdc
> [kadmin]
> 	default_keys = des3-cbc-sha1:pw-salt
> and doing a
> 	ktutil get -p tls/admin get host/`hostname`
> doesn't make you happy ?

No, I get the same keys I've already got in the keytab.

> >sudo: kerb5: host service key not found: Unknown error -1765328203
> >Jul 28 23:56:46 hostname sudo:      tls : kerb5: host service key  
> >not found:
> >Unknown error -1765328203 ; TTY=tty00 ; PWD=/home/tls ; USER=root ;
> >COMMAND=/bin/sh
> >sudo: kerb5: Cannot verify TGT! Possible attack!: Unknown error  
> >-1765328203
> >Sorry, try again.
> >
> >Is this expected?  Can I patch krb5_verify_user to fix it?  I can't  
> >figure
> >out what that error code actually is.
> /usr/heimdal/include/krb5_err.h:        KRB5_KT_NOTFOUND = -1765328203,
> I think you database mismatch with your keytab.

Not so far as I can tell -- and I can use the host key to log in to the
host, too.  The problem seems to be specifically with krb5_verify_user().
If you can't think of why, I can try rebuilding libkrb5 with debugging
symbols and trace into verify_user and see what it thinks is wrong --
but the problem only seems to occur on hosts that have only 3des keys,
which makes me suspicious.