Two enctype questions

Mike Friedman mikef at berkeley.edu
Wed Apr 30 14:22:37 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a couple of questions related to KDC enctypes, one of which I sent 
to the list last week but received no reply:

1.  I notice that on 1.6.3, getprinc shows 'no salt' for all keys, even 
though the enctypes in kdc.conf's supported-enctypes all specify a salt 
type of ':normal', which I thought meant salt with principal name and 
realm.  Why is this?

For example, in my kdc.conf, I have this:

    supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal

  And here's an extract of a principal's entry as shown by getprinc:

     Number of keys: 2
     Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
     Key: vno 3, DES cbc mode with CRC-32, no salt

  Whereas, on my 1.4.2 system, kdc.conf looks like this:

   supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 des-cbc-crc:v4

  and I get this principal key information:

     Number of keys: 5
     Key: vno 1, DES cbc mode with CRC-32, no salt
     Key: vno 1, DES cbc mode with RSA-MD5, Version 4
     Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
     Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
     Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3

  So, why the 'no salt' in all the key descriptions for 1.6.3?

2.  Is there any way to change the enctype of the master database key?  I 
will be kprop'ing the db from my 1.4.2 system to 1.6.3 and I'd like to 
rekey the db with an enctype of aes256-cts:normal.  But I don't see how to 
do this, since the 'master-key-type' entry in kdc.conf can't agree with 
both the old db and the rekeyed db.  Am I missing something?

Thanks.

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)

iEYEARECAAYFAkgYuO0ACgkQFgKSfLOvZ1RdTACfUONpdzno2q+dIqKwRSxyc8BA
NY4An3kg3eF37kUGc7xFC19MUogRDTry
=DvSM
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list