当尝试通过 TFTP 加载 SRVTAB 时,我收到“不支持的密钥类型”错误:
abc(config)#kerberos srvtab remote 1.2.3.4 abc.srvtab
Loading abc.srvtab from 1.2.3.4 (via Vlan123): !
[OK - 121 bytes]
Unsupported keytype 18! Discarding...
No principals in srvtab! Discarding...
Failed to retrieve srvtab from tftp://1.2.3.4/abc.srvtab
然而,没有错误如果手动指定条目则会收到:
abc(config)#kerberos srvtab entry host/abc@REALM 1 1418612000 1 18 32 0123456...
…但生成的密钥不起作用(尽管没有config-key设置,但查看配置文件时密钥值似乎已损坏)。更糟糕的是,配置导致 IOS 在启动 Kerberos 会话时尝试分配 GB 的内存:
Dec 15 19:42:03.030: AAA/BIND(00000B9A): Bind i/f
Dec 15 19:42:03.035: %SYS-2-MALLOCFAIL: Memory allocation of 4294580232 bytes failed from 0x1488F68, alignment 0
Pool: Processor Free: 5121120 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Virtual Exec", ipl= 0, pid= 399
-Traceback= 53C8ECz 1DCFBF8z 1DD6FDCz 1DD77B4z 2ACF704z 1488F6Cz 146BF6Cz 148C61Cz 14816A8z 1255930z 1255BC4z 1255C64z 12483C0z 494B7Cz 299BEA8z 2996448z
Dec 15 19:42:03.040: Kerberos: Failed to generate authentication data!
Dec 15 19:42:03.040: AAA/AUTHEN/LOGIN (00000B9A): Pick method list 'default'
Dec 15 19:42:03.040: kerberos(00000B9A): krb_is_user_authenticated 0
因此,我们可以推测aes256-cts-hmac-sha1-96 不是支持该设备,但如何确定哪些算法是支持的?