Is it possible to generate the keytab on the application server itself ?

sandypossible@gmail.com sandypossible at gmail.com
Tue Jan 31 02:00:57 EST 2006


Hi all,

Could you please confirm whether this means I can create the keytab
entry on the application server ?  Also could you please let me know
any issues involved with this approach ?

Thanks
Sandy.


sandypossible at gmail.com wrote:
> Hi Sam,
>
> Thanks a lot for the reply.
>
> Does this mean by knowing the following parameters namely,
> the password,the salt (which can include principal and realm),s2k
> parameters,the key version number , I can create the key on the
> application server  itself which is identical to that used by the KDC
> while issuing the service ticket ?
>
> Thanks,
> Sandy.
>
>
>
>
> Sam Hartman wrote:
> > >>>>> "sandypossible" == sandypossible  <sandypossible at gmail.com> writes:
> >
> >     sandypossible> Hi all, I have some additional queries:
> >
> >     sandypossible> 1) I understand that while creating the keytab
> >     sandypossible> file, the KDC creates the key using the service
> >     sandypossible> principal and its password. This key is extracted
> >     sandypossible> in the keytab file. Could you please let me know if
> >     sandypossible> this extracted keytab contains only the password in
> >     sandypossible> encrypted form ? Does the KDC uses any salt, realm
> >     sandypossible> name along with password during key creation ?
> >
> >
> > Please take a look at the string2key operation in RFC 3961, the
> > implementation for AES in RFC 3962 and the implementation for RC4 in
> > draft-jaganathan-rc4-hmac-01.txt .
> >
> > In general, in order  to convert a password to a key you need:
> >
> > * the password
> > * the salt (which can include principal and realm)
> > * s2k parameters
> > * the key version number
> >
> > There are various cases in which protocols can be used to find out
> > some of these.  For example, if you have the principal and password
> > you could attempt an AS request with the principal and use the
> > etype_info2 structure to get the salt,and s2kparams.  This however
> > will not get you the key version number.
> >
> > Depending on KDC configuration, you may be able to perform a TGS
> > request to get a key version number.
> >
> > --Sam
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list