Is it possible to generate the keytab on the application server itself ?

Sam Hartman hartmans at MIT.EDU
Fri Jan 27 17:51:14 EST 2006


>>>>> "sandypossible" == sandypossible  <sandypossible at gmail.com> writes:

    sandypossible> Hi all, I have some additional queries:

    sandypossible> 1) I understand that while creating the keytab
    sandypossible> file, the KDC creates the key using the service
    sandypossible> principal and its password. This key is extracted
    sandypossible> in the keytab file. Could you please let me know if
    sandypossible> this extracted keytab contains only the password in
    sandypossible> encrypted form ? Does the KDC uses any salt, realm
    sandypossible> name along with password during key creation ?


Please take a look at the string2key operation in RFC 3961, the
implementation for AES in RFC 3962 and the implementation for RC4 in
draft-jaganathan-rc4-hmac-01.txt .

In general, in order  to convert a password to a key you need:

* the password
* the salt (which can include principal and realm)
* s2k parameters 
* the key version number

There are various cases in which protocols can be used to find out
some of these.  For example, if you have the principal and password
you could attempt an AS request with the principal and use the
etype_info2 structure to get the salt,and s2kparams.  This however
will not get you the key version number.

Depending on KDC configuration, you may be able to perform a TGS
request to get a key version number.

--Sam



More information about the Kerberos mailing list