keytab file format - exporting arcfour keys from active directory
Jeffrey Altman
jaltman2 at nyc.rr.com
Tue May 2 00:05:35 EDT 2006
Marcus Watts wrote:
> I can understand not wanting to make this file format
> very permanent.
Its not a question of making the file format permanent
or not. The file format is extensible and it is documented
in the source code. The Kerberos vendors work together
and as such MIT, Heimdal and Microsoft all implement the
same format. Unfortunately, the Java team got it wrong
and have only recently corrected it.
The problem with the existing format is that it does not
have enough space to represent the entire set of key verson
numbers that can be issued for a principal. Organizations
that replace DES keys on a daily basis will run out of kvnos
in well under a year. Therefore, the format needs to be
extended. When we do so we would prefer to be able to upgrade
applications by replacing our libraries rather then requiring
that application vendors re-write their apps.
We have a similar problem with the FILE: ccache format
because the existing format cannot represent 64-bit time
values.
Jeffrey Altman
More information about the Kerberos
mailing list