From owner-freebsd-net@FreeBSD.ORG Wed Sep 11 15:43:34 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7B266976 for ; Wed, 11 Sep 2013 15:43:34 +0000 (UTC) (envelope-from mailinglists@martinlaabs.de) Received: from relay02.alfahosting-server.de (relay02.alfahosting-server.de [109.237.142.238]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 38B392499 for ; Wed, 11 Sep 2013 15:43:33 +0000 (UTC) Received: by relay02.alfahosting-server.de (Postfix, from userid 1001) id 370DD32C2223; Wed, 11 Sep 2013 17:43:11 +0200 (CEST) X-Spam-DCC: : X-Spam-Level: X-Spam-Status: No, score=0.0 required=7.0 tests=BAYES_50 autolearn=disabled version=3.2.5 Received: from alfa3018.alfahosting-server.de (alfa3018.alfahosting-server.de [109.237.140.30]) by relay02.alfahosting-server.de (Postfix) with ESMTPS id DFD5632C2223 for ; Wed, 11 Sep 2013 17:43:09 +0200 (CEST) Received: from desktop-01.martinlaabs.de (p54B32073.dip0.t-ipconnect.de [84.179.32.115]) by alfa3018.alfahosting-server.de (Postfix) with ESMTPSA id AEB77515DECA for ; Wed, 11 Sep 2013 17:43:09 +0200 (CEST) Message-ID: <52308F8C.3010804@martinlaabs.de> Date: Wed, 11 Sep 2013 17:43:08 +0200 From: Martin Laabs User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130809 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Kerberos problem with -current Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Status: No X-Virus-Checker-Version: clamassassin 1.2.4 with ClamAV 0.97.3/17841/Wed Sep 11 15:45:20 2013 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Sep 2013 15:43:34 -0000 Hi, I set up a kerberos server on a raspberry platform. To prove that all is working I enabled the telnetd to use kerberos auth. When trying to connect to the localhost or the ip assigned (so just use the -current telnet with the -current telnetd and the -current kerberos server) to the network interface I get the following error: Trying 192.168.1.221... Connected to raspberry.martinlaabs.de. Escape character is '^]'. [ Trying mutual KERBEROS5 (host/raspberry.martinlaabs.de@MARTINLAABS.DE)... ] Kerberos V5: mk_req failed (encryption type des-cbc-crc is disabled) [ Trying KERBEROS5 (host/raspberry.martinlaabs.de@MARTINLAABS.DE)... ] Kerberos V5: mk_req failed (encryption type des-cbc-crc is disabled) This is very strange because there are no des-cbc-crc keys at all and I wonder why telnetd is asking for that deprecated key type. When enabling the weak crypto option in krb5.conf the error message changes but the main problem of the des-cbc-crc key remains: Trying 192.168.1.231... Connected to raspberry.martinlaabs.de. Escape character is '^]'. [ Trying mutual KERBEROS5 (host/raspberry.martinlaabs.de@MARTINLAABS.DE)... ] Kerberos V5: mk_req failed (KDC has no support for encryption type) [ Trying KERBEROS5 (host/raspberry.martinlaabs.de@MARTINLAABS.DE)... ] Kerberos V5: mk_req failed (KDC has no support for encryption type) So why does telnet or telnetd wants to use the des-cbc-crc key type and not some recent and secure key types? Thank you, Martin Laabs