[prev in list] [next in list] [prev in thread] [next in thread] 

List:       krbdev
Subject:    Re: Enctype configuration
From:       "Henry B. Hotz" <hotz () jpl ! nasa ! gov>
Date:       2009-07-27 21:00:38
Message-ID: 7FCAA762-2609-44FC-8848-E5C302D131D7 () jpl ! nasa ! gov
[Download RAW message or body]


On Jul 25, 2009, at 7:29 AM, krbdev-request@mit.edu wrote:

> Date: Sat, 25 Jul 2009 06:59:44 -0400
> From: Sam Hartman <hartmans@MIT.EDU>
> Subject: Re: Enctype configuration
> To: Greg Hudson <ghudson@MIT.EDU>
> Cc: krbdev@mit.edu
> Message-ID: <tslk51xkoyn.fsf@mit.edu>
> Content-Type: text/plain; charset=us-ascii
>
>>>>>> "Greg" == Greg Hudson <ghudson@MIT.EDU> writes:
>    Greg> 2. As noted in RFC 4120, "it is not possible to generate a
>    Greg> user's key reliably given a pass phrase without contacting
>    Greg> the KDC, since it will not be known whether alternate salt
>    Greg> or parameter values are required."  However, you can guess
>    Greg> that the salt is the mangled principal, and our ktutil
>    Greg> addent -password command does exactly that.  That guess is
>    Greg> wrong if the admin used any non-NORMAL salt type when
>    Greg> creating the principal, or the principal has been renamed
>    Greg> (you can't rename a NORMAL-salted principal right now, but
>    Greg> you could if we processed the patch in RT #6323)... but in
>    Greg> the usual case, the guess is right.  That would cease to be
>    Greg> true if we switched to explicit random salts.
>
>    Greg> It should be possible to modify ktutil to contact the KDC,
>    Greg> assuming that salt information is present in
>    Greg> PREAUTH_REQUIRED errors, which seems to be true according to
>    Greg> a scan of the RFC.
>
> Thanks for bringing this up.  Unfortunately there are some interop
> cases where random salt will be a problem.  One is creating
> cross-realm passwords.  Another is creating machine and service
> accounts for Windows.  For this reason, I think it is important to
> retain the ability to support normal salt for a principal.
>
> I don't think that needs to be coupled to supported_enctypes in the
> config file.
>
> One possibility is to only support it with the -e option of cpw in
> kadmin.  Another is to have a principal flag.


I have occasionally recommended implementing a keytab import  
capability for this purpose.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu



_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic