[krbdev.mit.edu #7533] klist/ktutil wrapping kvno field

Ian Crowther via RT rt-comment at krbdev.mit.edu
Fri Jan 4 21:51:50 EST 2013 

When ktadmin is used to put a principal with kvno 320 into a file,
klist and kutil both show that the file has a kvno of 64.

Kaduk states "It is almost certain that klist is assuming the kvno is
an 8-bit field, so 320 wraps around to 64. (In krb4, the kvno field
actually was 8 bits.)" which would be consistent with both getprinc
and klist's kvno incrementing 'independently'

Sample log:

kadmin.local:  getprinc cfengine-policyhost/admin at EXAMPLE.COM
Principal: cfengine-policyhost/admin at EXAMPLE.COM
Expiration date: [never]
Last password change: Sat Jan 05 00:46:15 GMT 2013
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat Jan 05 00:46:15 GMT 2013 (root/admin at EXAMPLE.COM)
Last successful authentication: Sat Jan 05 00:16:01 GMT 2013
Last failed authentication: Sat Jan 05 00:14:55 GMT 2013
Failed password attempts: 0
Number of keys: 4
Key: vno 319, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 319, ArcFour with HMAC/md5, no salt
Key: vno 319, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 319, DES cbc mode with CRC-32, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: service


kadmin.local:  ktadd -k /tmp/newfile cfengine-policyhost/admin
Entry for principal cfengine-policyhost/admin with kvno 320,
encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to
keytab WRFILE:/tmp/newfile.
Entry for principal cfengine-policyhost/admin with kvno 320,
encryption type ArcFour with HMAC/md5 added to keytab
WRFILE:/tmp/newfile.
Entry for principal cfengine-policyhost/admin with kvno 320,
encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/tmp/newfile.
Entry for principal cfengine-policyhost/admin with kvno 320,
encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/tmp/newfile.
kadmin.local:


0 root at caffeine:/var/cfengine/inputs[2] klist -k /tmp/newfile
Keytab name: WRFILE:/tmp/newfile
KVNO Principal
---- --------------------------------------------------------------------------
  64 cfengine-policyhost/admin at EXAMPLE.COM
  64 cfengine-policyhost/admin at EXAMPLE.COM
  64 cfengine-policyhost/admin at EXAMPLE.COM
  64 cfengine-policyhost/admin at EXAMPLE.COM
0 root at caffeine:/var/cfengine/inputs[2]

More information about the krb5-bugs mailing list