Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

gssapi-with-mic and a Windows AD KDC

from [Ian Grant] Network Security [Permanent Link]
Subject: gssapi-with-mic and a Windows AD KDC
Date: Mon, 13 Mar 2006 17:17:49 +0000 
Dear OpenSSH types,

I am trying to use a Windows AD KDC to authenticate gssapi-with-mic connections between Linux clients. The problem is I get an error from the ssh server: "Encryption type not permitted" Can anyone tell me what it's objecting to, or what encryption types are permitted?

I'm using sshd: OpenSSH_4.1p1 and client: OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004

I have enabled GSSAPIAuthentication on the server and installed /etc/ krb5.keytab with the key:

KVNO Principal
---- ------------------------------------------------------------------------ --
4 host/somehost.cl.cam.ac.uk@AD.CL.CAM.AC.UK (DES cbc mode with RSA-MD5)

On the client I have these credentials:

Default principal: ig206@AD.CL.CAM.AC.UK

Valid starting Expires Service principal
03/13/06 15:55:51 03/14/06 01:55:55 krbtgt/ AD.CL.CAM.AC.UK@AD.CL.CAM.AC.UK
renew until 03/14/06 15:55:51, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
03/13/06 15:56:17 03/14/06 01:55:55 host/ sark.cl.cam.ac.uk@AD.CL.CAM.AC.UK
renew until 03/14/06 15:55:51, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5
Kerberos 4 ticket cache: /tmp/tkt1696

When I try the connection I get this output from sshd:

debug1: userauth-request for user ig206 service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "ig206"
Failed none for ig206 from 128.232.8.60 port 12372 ssh2
debug1: PAM: setting PAM_RHOST to "fenton.cl.cam.ac.uk"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user ig206 service ssh-connection method gssapi
h-mic
debug1: attempt 1 failures 1
Postponed gssapi-with-mic for ig206 from 128.232.8.60 port 12372 ssh2
debug1: Miscellaneous failure
Encryption type not permitted

debug1: Got no client credentials
Failed gssapi-with-mic for ig206 from 128.232.8.60 port 12372 ssh2
debug1: userauth-request for user ig206 service ssh-connection method gssapi
h-mic
debug1: attempt 2 failures 2
Failed gssapi-with-mic for ig206 from 128.232.8.60 port 12372 ssh2

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Null-passphrase vs ssh-agent, Gian G. Spicuzza
Next by Date:  Re: Can SSH emulate SCO-ANSI ?, Robert Hajime Lanning
Previous by Thread:  Can SSH emulate SCO-ANSI ?, Marcelo F Gacitua
Next by Thread:  Re: gssapi-with-mic and a Windows AD KDC, Ian Grant
Indexes:  [Date] [Thread] [Top] [All Lists]