tech-security: Re: Kerberos: telnet to Solaris -> Bad encryption type

Subject: Re: Kerberos: telnet to Solaris -> Bad encryption type
To: None <tech-security@NetBSD.org>
From: Hubert Feyrer <hubert@feyrer.de>
List: tech-security
Date: 09/26/2005 05:58:39

On Mon, 26 Sep 2005, Hubert Feyrer wrote:
> 	[ Trying KERBEROS5 ... ]
> 	[ Kerberos V5 refuses authentication because Kerberos checksum 
> verification failed: Bad encryption type ]

Playing a bit more, I found that on Solaris the command to list the keytab 
file is:

 	sol10# klist -k -e -t
 	Keytab name: FILE:/etc/krb5/krb5.keytab
 	KVNO Timestamp               Principal
 	---- ----------------- ---------------------------------------------------------
 	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (DES cbc mode with CRC-32)
===>	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (etype 2)
 	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (DES cbc mode with RSA-MD5)
 	   1 09/25/05 22:55:55 host/sol10@MONROE.ST (Triple DES cbc mode with HMAC/sha1)

After removing that "etypes 2" (which on NetBSD is des-cbc-md4), using 
"del_enctype host/sol10 des-cbc-md4" in "kadmin -l", exporting and moving 
the new keytab file again (and verifying that it only contains three 
etypes it knows), I the the same error, "Bad encryption type".
:(

  - Hubert