krb5-utils kinit will not auth against AIX's dce secd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
krb5 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
We use DCE on AIX to provide our Kerberos5 KDCs.
This configuration has worked fine for quite a while with heimdal-clients providing kinit and openssh-client has been able to successfully GSSAPI authenticate.
Since the 1.8 alpha version released on February 18th, ssh fails with "Cannot find ticket for requested realm." Kinit, as provided from krb5-user fails with
kinit: KDC has no support for encryption type while getting initial credentials
This makes kerberos unuseable in my environment.
For now the machine has been reverted to 1.7 beta 3 as grabbed from karmic.
ProblemType: Bug
Architecture: i386
Date: Mon Feb 22 15:45:33 2010
DistroRelease: Ubuntu 10.04
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
Package: libkrb5-3 1.7dfsg~
ProcEnviron:
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: krb5
Uname: Linux 2.6.32-
It sounds like the secd you're using only supports single DES. Single DES has been deprecated for over 10 years now as a cipher, due to its very short key length. I would highly encourage you to upgrade your infrastructure to a more secure encryption type.
If you simply must continue using your current infrastructure, you can set "allow_weak_crypto = true" in the [libdefaults] section of /etc/krb5.conf, but this is *strongly* disrecommended, and may cease to work in future versions of krb5.