keytab file format - exporting arcfour keys from active directory

Marcus Watts mdw at umich.edu
Mon May 1 22:59:10 EDT 2006


Various wrote:
> Message-ID: <44569531.5080008 at nyc.rr.com>
> From: Jeffrey Altman <jaltman2 at nyc.rr.com>
> Subject: Re: keytab file format - exporting arcfour keys from active directory
> Date: Mon, 01 May 2006 23:08:32 GMT
> Organization: Road Runner High Speed Online http://www.rr.com
> To: kerberos at mit.edu
> 
> Michael B Allen wrote:
> > On Mon, 01 May 2006 17:13:13 -0400
> > Sam Hartman <hartmans at mit.edu> wrote:
> > 
> >> We'd really prefer you just call into a krb5_32.dll.  That will
> >> continue to work if the keytab format changes in the future.
> > 
> > I don't think asking people to installing an MIT kerberos dll on a Windows
> > KDC would go over well. I think I'll stick to standard C.
> > 
> > Mike
> 
> Why not?   People do it all the time.  Besides what language do you
> think the DLL was compiled from?  "C".
> 
> Jeffrey Altman
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

I can understand not wanting to make this file format
very permanent.  I think it might be nice to have *some*
format that is reasonably permanent and useable cross-platform,
between different languages & all.  So far, we have:
	mit kerberos
	heimdal kerberos
	microsoft
	shishi
	... not to mention several vendor adaptions of mit,
	several java implementations of kerberos, etc.
The heimdal folks seem to have bothered to figure out the file format.
Apparently Microsoft today can also make keytabs.  I don't know if they
have any sort of public native API to read/write them.  The shishi
folks don't yet have logic to do this, probably in part due to the lack
of documentation.  The shishi folks *do* have their own keyfile
format.  Nevertheless, this is on their project list.  So the MIT folks
have already got significant compatibility issues to work out, at least
with past versions of themselves, & if they care, also with heimdal,
microsoft, and any other vendors or environments with which they wish
to interoperate.

I think this is an area where it would pay more to actually come up
with a standard - ideally for keytab file formats, or failing that,
some sort of import/export stringified key exchange text standard.

				-Marcus



More information about the Kerberos mailing list