Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

krb5_rd_req failed: Decrypt integrity check failed

926 views
Skip to first unread message

JOSE DOMINGOS GOMES TEIXEIRA

unread,
May 31, 1997, 3:00:00 AM5/31/97
to

Hi,

I'm working with krb5-nt-alpha1 clients (with krb5-1.0 server on free BSD
2.1.6). kinit works fine, but when I try to use the kerberized telnet it
stops with an error message:
Kerberos V5 refuses authentication because
telnetd: krb5_rd_req failed: Decrypt integrity check failed

Before the error message it gets the host/server ticket.

Could anybody help me ?

Thanks in advance.

Jose Teixeira
(jd...@camoes.rnl.ist.utl.pt)

Ken Hornstein

unread,
Jun 2, 1997, 3:00:00 AM6/2/97
to

>I'm working with krb5-nt-alpha1 clients (with krb5-1.0 server on free BSD
>2.1.6). kinit works fine, but when I try to use the kerberized telnet it
>stops with an error message:
> Kerberos V5 refuses authentication because
> telnetd: krb5_rd_req failed: Decrypt integrity check failed

"Decrypt integrity check failed" is the error that means, essentially,
"password incorrect". (If you give the wrong password to kinit, that's
the error that the libraries return internally).

In _this_ case, the key that's incorrect is probably the one stored in
the keytab on the host you're telnetting to. I would guess that Kerberized
telnets from Unix boxes suffer the same problems. For some reason, even
though the kvno's match, the key stored in /etc/krb5.keytab doesn't
match the key stored in your Kerberos database.

What you probably need to do is put a new key in /etc/krb5.keytab and
try again (after re-running kinit).

--Ken

Dave McGuire

unread,
Jun 2, 1997, 3:00:00 AM6/2/97
to

On June 2, you wrote:
> >In my /etc/hosts I have the little host-name first.
>
> That's a _huge_ mistake, IMHO.
>
> All of the Kerberos clients and application servers assume that (as you've
> discovered) doing a lookup on the client name will return a FQDN. You'll
> run into other subtle problems down the road if you continue this way.

I agree. I was once told that what is returned by gethostname()
should *always* be the FQDN, not just the hostname. The person who
told me about that (hi mattm) really knows his stuff so I never
bothered to check up on it...does anyone know where this is
documented?


-Dave McGuire
mcg...@neurotica.com

Ken Hornstein

unread,
Jun 2, 1997, 3:00:00 AM6/2/97
to

>> All of the Kerberos clients and application servers assume that (as you've
>> discovered) doing a lookup on the client name will return a FQDN. You'll
>> run into other subtle problems down the road if you continue this way.
>
> I agree. I was once told that what is returned by gethostname()
>should *always* be the FQDN, not just the hostname. The person who
>told me about that (hi mattm) really knows his stuff so I never
>bothered to check up on it...does anyone know where this is
>documented?

The correct way to set up your DNS is documented in the Kerberos
documentation (in the install guide, I believe). However, this is
different than what you suggested ... I don't have the hostname set to
the FQDN on any of our systems.

Whether or not you want to set the hostname to the FQDN is mostly
a religious issue, IMHO (I'm not a follower of that particular religion).
For Kerberos all that's required is that
gethostbyaddr(gethostbyname(gethostname())) == FQDN, which should be the
case if you're using DNS. If your system looks at /etc/hosts first
and you have the short machine name first, then this won't be true,
and Kerberos will break.

--Ken

0 new messages