kpasswd: Failed decrypting request - Kerberos

This is a discussion on kpasswd: Failed decrypting request - Kerberos ; Using krb5-1.4.3 on a Redhat system and I get the following error from kpasswd: Failed decrypting request The admin server is accessed via VPN/NAT and from the sparse info I could find, I suspect that's the issue. DNS does show ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: kpasswd: Failed decrypting request

  1. kpasswd: Failed decrypting request

    Using krb5-1.4.3 on a Redhat system and I get the following error from
    kpasswd:

    Failed decrypting request

    The admin server is accessed via VPN/NAT and from the sparse info I could
    find, I suspect that's the issue. DNS does show that my VPN IP matches
    the hostname.

    Questions...

    Is that the cause of the error?

    Are there plans to fix this?

    If there are no plans to fix it (or it can't be fixed)... is there any
    possibility the error message could be a bit more descriptive?

    I'm trying to deploy kerberos to a large number of users, many will be
    accessing our systems via the VPN and I'm sure this will be an issue.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: kpasswd: Failed decrypting request

    petesea@bigfoot.com wrote:
    > Using krb5-1.4.3 on a Redhat system and I get the following error from
    > kpasswd:
    >
    > Failed decrypting request
    >
    > The admin server is accessed via VPN/NAT and from the sparse info I could
    > find, I suspect that's the issue. DNS does show that my VPN IP matches
    > the hostname.
    >
    > Questions...
    >
    > Is that the cause of the error?
    >
    > Are there plans to fix this?
    >
    > If there are no plans to fix it (or it can't be fixed)... is there any
    > possibility the error message could be a bit more descriptive?
    >
    > I'm trying to deploy kerberos to a large number of users, many will be
    > accessing our systems via the VPN and I'm sure this will be an issue.


    You cannot use the MIT kpasswd through a NAT. The IP address of the
    client as seen by the server must match the one the client sees.

    When the IETF completes the new set/change password protocol I'm sure
    that MIT will consider implementing it.

    Jeffrey Altman

  3. Re: kpasswd: Failed decrypting request

    >> If there are no plans to fix it (or it can't be fixed)... is there any
    >> possibility the error message could be a bit more descriptive?
    >>
    >> I'm trying to deploy kerberos to a large number of users, many will be
    >> accessing our systems via the VPN and I'm sure this will be an issue.

    >
    >You cannot use the MIT kpasswd through a NAT. The IP address of the
    >client as seen by the server must match the one the client sees.
    >
    >When the IETF completes the new set/change password protocol I'm sure
    >that MIT will consider implementing it.


    If you can't wait for that, fixing the current server to work when the
    client is behind a NAT is only about 20-30 lines of code. I believe the
    mailing list archives would show you the different solutions various
    people have come up with.

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread