key extraction for AFS kaserver
Douglas E. Engert
deengert at anl.gov
Thu Apr 15 16:06:17 EDT 2004
Andrew Bacchi wrote:
>
> I'm trying to extract a K5 key for afs. The encryption type seems to be
> invalid.
>
> kadmin: ktadd -e des-cbc-crc afs at WEB.RPI.EDU
> ktadd: Invalid argument while parsing keysalts des-cbc-crc
>
> However, if I remove the enctype it writes a DES and DES3 key.
>
> kadmin: ktadd afs at WEB.RPI.EDU
> Entry for principal afs at WEB.RPI.EDU with kvno 1, encryption type Triple
> DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
> Entry for principal afs at WEB.RPI.EDU with kvno 1, encryption type DES cbc
> mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
>
> Is this a salt problem? Can I add one of these keys to my AFS kaserver
> using asetkey? Must I use -e des-cbc-crc?
Both Sam and Ken are correct, use -e des-cbc-crc:normal
Another apporach if you wanted to base the DES key on a password, for example
if using a Windows KDC. You would use the Windows ktpass to created the AD
entry and set the key from a password. Then you can use the standard AFS
"bos_util adddes <kvno>" comamnd to add this to /usr/afs/etc/KeyFile.
When bos_util prompts for the password, use the concatination of
<password><realm><name><instance>
So if your password was 12345678 then you would enter:
12345678WEB.RPI.EDUafs
In your case there is not instance.
Basicly this is the difference between the V4 and V5 string-to-key routines.)
You may still need a keytab as you may still need krb524d, but you can
create this using the MIT ktutil addent with the password or the key.
>
> --
> Facade: Provide a unified interface to a set of interfaces in a
> subsystem.
>
> Andrew Bacchi
> Staff Systems Programmer
> Rensselaer Polytechnic Institute
> phone: 518 276-6415 fax: 518 276-2809
>
> http://www.rpi.edu/~bacchi/
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list