[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: Enctype configuration
From: "Henry B. Hotz" <hotz () jpl ! nasa ! gov>
Date: 2009-07-27 21:00:38
Message-ID: 7FCAA762-2609-44FC-8848-E5C302D131D7 () jpl ! nasa ! gov
[Download RAW message or body]
On Jul 25, 2009, at 7:29 AM, krbdev-request@mit.edu wrote:
> Date: Sat, 25 Jul 2009 06:59:44 -0400
> From: Sam Hartman <hartmans@MIT.EDU>
> Subject: Re: Enctype configuration
> To: Greg Hudson <ghudson@MIT.EDU>
> Cc: krbdev@mit.edu
> Message-ID: <tslk51xkoyn.fsf@mit.edu>
> Content-Type: text/plain; charset=us-ascii
>
>>>>>> "Greg" == Greg Hudson <ghudson@MIT.EDU> writes:
> Greg> 2. As noted in RFC 4120, "it is not possible to generate a
> Greg> user's key reliably given a pass phrase without contacting
> Greg> the KDC, since it will not be known whether alternate salt
> Greg> or parameter values are required." However, you can guess
> Greg> that the salt is the mangled principal, and our ktutil
> Greg> addent -password command does exactly that. That guess is
> Greg> wrong if the admin used any non-NORMAL salt type when
> Greg> creating the principal, or the principal has been renamed
> Greg> (you can't rename a NORMAL-salted principal right now, but
> Greg> you could if we processed the patch in RT #6323)... but in
> Greg> the usual case, the guess is right. That would cease to be
> Greg> true if we switched to explicit random salts.
>
> Greg> It should be possible to modify ktutil to contact the KDC,
> Greg> assuming that salt information is present in
> Greg> PREAUTH_REQUIRED errors, which seems to be true according to
> Greg> a scan of the RFC.
>
> Thanks for bringing this up. Unfortunately there are some interop
> cases where random salt will be a problem. One is creating
> cross-realm passwords. Another is creating machine and service
> accounts for Windows. For this reason, I think it is important to
> retain the ability to support normal salt for a principal.
>
> I don't think that needs to be coupled to supported_enctypes in the
> config file.
>
> One possibility is to only support it with the -e option of cpw in
> kadmin. Another is to have a principal flag.
I have occasionally recommended implementing a keytab import
capability for this purpose.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic