Moving Realms

Sam Hartman hartmans at MIT.EDU
Wed Mar 19 14:28:16 EST 2003


>>>>> "Greg" == Greg Wettstein <greg at wind.enjellic.com> writes:


    Greg> I would be interested in what the collective thinking of a
    Greg> strategy such as this would be?  We crypted the raw password
    Greg> value with the KDC master key to make sure that the raw
    Greg> password was at least as secure as the database itself.  My
    Greg> thinking was that if you lose the KDC the loss of the actual
    Greg> password value itself is probably the least of one's
    Greg> problems.


Instead of storing the password, you can just store the old salt.
Then you can tell the client what salt to use using the etype-info
preauth type.



More information about the Kerberos mailing list