Re: Heimdal and openssh
- To: debian-devel@lists.debian.org
- Subject: Re: Heimdal and openssh
- From: Russ Allbery <rra@debian.org>
- Date: Mon, 09 Jan 2006 18:25:50 -0800
- Message-id: <[🔎] 8764osn7ip.fsf@windlord.stanford.edu>
- In-reply-to: <20051228141524.01a00da2@noether> (Juha Jäykk's message of "Wed, 28 Dec 2005 14:15:24 +0200")
- References: <20051223090005.5411d7af@noether.tfy.utu.fi> <87y82cz3di.fsf@windlord.stanford.edu> <20051228002834.4c5c3f8c@alnitak.stiff.utu.fi> <878xu65f9w.fsf@windlord.stanford.edu> <20051228141524.01a00da2@noether>
Juha Jäykkä <juhaj@iki.fi> writes:
>> * Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a
>> slightly
>> different version of the gssapi authentication method (thanks, Aaron
>> M. Ucko; closes: #328388).
> Perhaps this is THE patch which makes them all work together while
> openssh folks claim they don't? This is a side-issue, but it would be
> nice to know.
That may very well be the case, yeah. I've not done a lot of
experimentation.
> Ahem... my krb5.conf says "permitted_enctypes = aes256-cts-hmac-sha1-96"
> (in libdefaults). So this is the culprit here? [Please, do not patronize
> me on using a non-recommended config. =) It's simply that I think DES
> has no security to speak of these days. 3DES might be worth trying,
> though.]
In further discussion, this turned out to be the problem that started all
the attempts at rebuilding things (in case anyone else happens upon this
thread). The versions of everything in sarge aren't set up to support
256-bit AES as the only supported enctype, but this will probably work in
etch.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: