key extraction for AFS kaserver

Douglas E. Engert deengert at anl.gov
Thu Apr 15 16:06:17 EDT 2004



Andrew Bacchi wrote:
> 
> I'm trying to extract a K5 key for afs.  The encryption type seems to be
> invalid.
> 
> kadmin:  ktadd -e des-cbc-crc afs at WEB.RPI.EDU
> ktadd: Invalid argument while parsing keysalts des-cbc-crc
> 
> However, if I remove the enctype it writes a DES and DES3 key.
> 
> kadmin:  ktadd afs at WEB.RPI.EDU
> Entry for principal afs at WEB.RPI.EDU with kvno 1, encryption type Triple
> DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
> Entry for principal afs at WEB.RPI.EDU with kvno 1, encryption type DES cbc
> mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
> 
> Is this a salt problem?  Can I add one of these keys to my AFS kaserver
> using asetkey?  Must I use -e des-cbc-crc?

Both Sam and Ken are correct, use -e des-cbc-crc:normal  


Another apporach if you wanted to base the DES key on a password, for example 
if using a Windows KDC. You would use the Windows ktpass to created the AD
entry and set the key from a password. Then you can use the standard AFS 
"bos_util adddes <kvno>" comamnd to add this to /usr/afs/etc/KeyFile.

When bos_util prompts for the password, use the concatination of 
<password><realm><name><instance>   

So if your password was 12345678 then you would enter:
12345678WEB.RPI.EDUafs
In your case there is not instance. 

Basicly this is the difference between the V4 and V5 string-to-key routines.)

You may still need a keytab as you may still need krb524d, but you can
create this using the MIT ktutil addent  with the password or the key.    

> 
> --
> Facade: Provide a unified interface to a set of interfaces in a
> subsystem.
> 
> Andrew Bacchi
> Staff Systems Programmer
> Rensselaer Polytechnic Institute
> phone: 518 276-6415  fax: 518 276-2809
> 
> http://www.rpi.edu/~bacchi/
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list