key salting and kerberos v5

Tom Yu tlyu at MIT.EDU
Mon Apr 28 01:47:54 EDT 2003

>>>>> "Sam" == Sam Hartman <hartmans at MIT.EDU> writes:

Sam> It is.  Kadmin should really say default salt not no salt.  That's
Sam> what it actually means.

Sam> It says no salt because there is no salt tuple associated with the key
Sam> entry.  When no such tuple exists, then the default salt is used.

Further confusing matters, the MIT KDC doesn't distinguish between a
key having the default salt and a key having no associated password
(e.g. a service principal's random key).  In the latter case, "no
salt" actually makes some amount of sense, though it's more accurately
"no user-typable password".  For both cases, though, the KDC stores no
salt data in the record for the key in question.


More information about the Kerberos mailing list