[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Heimdal and openssh

Juha Jäykkä <juhaj@iki.fi> writes:

>>   * Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a
>>   slightly
>>     different version of the gssapi authentication method (thanks, Aaron
>>     M. Ucko; closes: #328388).

> Perhaps this is THE patch which makes them all work together while
> openssh folks claim they don't? This is a side-issue, but it would be
> nice to know.

That may very well be the case, yeah.  I've not done a lot of

> Ahem... my krb5.conf says "permitted_enctypes = aes256-cts-hmac-sha1-96"
> (in libdefaults). So this is the culprit here? [Please, do not patronize
> me on using a non-recommended config. =) It's simply that I think DES
> has no security to speak of these days. 3DES might be worth trying,
> though.]

In further discussion, this turned out to be the problem that started all
the attempts at rebuilding things (in case anyone else happens upon this
thread).  The versions of everything in sarge aren't set up to support
256-bit AES as the only supported enctype, but this will probably work in

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: