[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5_verify_user requires single-DES host key in keytab?

To: heimdal-discuss@sics.se, Love H?rnquist ?strand <lha@kth.se>
Subject: Re: krb5_verify_user requires single-DES host key in keytab?
From: Thor Lancelot Simon <tls@panix.com>
Date: Sun, 29 Jul 2007 17:27:03 -0400
In-Reply-To: <66C2C671-B914-4418-991E-04B32A9AC5FA@kth.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20070728235913.GA23591@panix.com> <66C2C671-B914-4418-991E-04B32A9AC5FA@kth.se>
Reply-To: heimdal-discuss@sics.se, Thor Lancelot Simon <tls@panix.com>
User-Agent: Mutt/1.5.10i

On Sun, Jul 29, 2007 at 05:12:32PM +0200, Love H?rnquist ?strand wrote:
> 
> Setting the following in krb5.conf on the kdc
> 
> [kadmin]
> 	default_keys = des3-cbc-sha1:pw-salt
> 
> and doing a
> 
> 	ktutil get -p tls/admin get host/`hostname`
> 
> doesn't make you happy ?

No, I get the same keys I've already got in the keytab.

> >sudo: kerb5: host service key not found: Unknown error -1765328203
> >Jul 28 23:56:46 hostname sudo:      tls : kerb5: host service key  
> >not found:
> >Unknown error -1765328203 ; TTY=tty00 ; PWD=/home/tls ; USER=root ;
> >COMMAND=/bin/sh
> >sudo: kerb5: Cannot verify TGT! Possible attack!: Unknown error  
> >-1765328203
> >Sorry, try again.
> >
> >Is this expected?  Can I patch krb5_verify_user to fix it?  I can't  
> >figure
> >out what that error code actually is.
> 
> /usr/heimdal/include/krb5_err.h:        KRB5_KT_NOTFOUND = -1765328203,
> 
> I think you database mismatch with your keytab.

Not so far as I can tell -- and I can use the host key to log in to the
host, too.  The problem seems to be specifically with krb5_verify_user().
If you can't think of why, I can try rebuilding libkrb5 with debugging
symbols and trace into verify_user and see what it thinks is wrong --
but the problem only seems to occur on hosts that have only 3des keys,
which makes me suspicious.

Thor

Follow-Ups:
- Re: krb5_verify_user requires single-DES host key in keytab?
  - From: Love Hörnquist Åstrand <lha@kth.se>

References:
- krb5_verify_user requires single-DES host key in keytab?
  - From: Thor Lancelot Simon <tls@panix.com>
- Re: krb5_verify_user requires single-DES host key in keytab?
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Force Heimdal to use it's own libcom_err / Building .a's with -fPICfor x86_64
Next by Date: Re: Force Heimdal to use it's own libcom_err / Building .a's with -fPIC for x86_64
Prev by thread: Re: krb5_verify_user requires single-DES host key in keytab?
Next by thread: Re: krb5_verify_user requires single-DES host key in keytab?
Index(es):
- Date
- Thread