key salting and kerberos v5

Sam Hartman hartmans at MIT.EDU
Sun Apr 27 19:54:59 EDT 2003

>>>>> "Calimer0" == Calimer0  <cryos98 at> writes:

    Calimer0> from kerberos FAQ 2.0:
    >> In Kerberos 5 the complete principal name (including the realm)
    >> is used as the salt

    Calimer0> but listing principals properties with kadmin what I see
    Calimer0> is:

    Calimer0> [...]  Key: vno 1, triple DES cbc mode with HMAC/sha1,
    Calimer0> no salt Key: vno 1, DES cbc mode with CRC-32, no salt
    Calimer0> [...]

    Calimer0> I thought that key salting was the default behaviour,

It is.  Kadmin should really say default salt not no salt.  That's
what it actually means.

It says no salt because there is no salt tuple associated with the key
entry.  When no such tuple exists, then the default salt is used.

More information about the Kerberos mailing list