Is it possible to generate the keytab on the application server itself ?
Sam Hartman
hartmans at MIT.EDU
Fri Jan 27 17:51:14 EST 2006
>>>>> "sandypossible" == sandypossible <sandypossible at gmail.com> writes:
sandypossible> Hi all, I have some additional queries:
sandypossible> 1) I understand that while creating the keytab
sandypossible> file, the KDC creates the key using the service
sandypossible> principal and its password. This key is extracted
sandypossible> in the keytab file. Could you please let me know if
sandypossible> this extracted keytab contains only the password in
sandypossible> encrypted form ? Does the KDC uses any salt, realm
sandypossible> name along with password during key creation ?
Please take a look at the string2key operation in RFC 3961, the
implementation for AES in RFC 3962 and the implementation for RC4 in
draft-jaganathan-rc4-hmac-01.txt .
In general, in order to convert a password to a key you need:
* the password
* the salt (which can include principal and realm)
* s2k parameters
* the key version number
There are various cases in which protocols can be used to find out
some of these. For example, if you have the principal and password
you could attempt an AS request with the principal and use the
etype_info2 structure to get the salt,and s2kparams. This however
will not get you the key version number.
Depending on KDC configuration, you may be able to perform a TGS
request to get a key version number.
--Sam
More information about the Kerberos
mailing list