Migrating a Kerberos Realm

Henry B. Hotz hotz at jpl.nasa.gov
Thu Nov 2 17:48:27 EST 2006


On Nov 2, 2006, at 9:03 AM, kerberos-request at mit.edu wrote:

> Date: Wed, 1 Nov 2006 22:21:53 -0500
> From: Ken Raeburn <raeburn at MIT.EDU>
> Subject: Re: Migrating a Kerberos Realm
> To: John Hascall <john at iastate.edu>
> Cc: kerberos at mit.edu
> Message-ID: <81ECE7EF-349E-4EF2-86A6-988B16A8E7EE at mit.edu>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
> On Nov 1, 2006, at 22:04, John Hascall wrote:
>>    If anyone is thinking of going down this road, be aware that
>>    there are some crappy client implementations out there
>>    (* looks in the direction of WebCT Vista and coughs *)
>>    that don't handle a non-default salt correctly...
>
> And here I was, thinking it would be a good idea to pick random salt
> strings on password changes, to make certain attacks more costly....
>
> Ken

The "other" Ken says that part of the client code "isn't well  
exercised".  ;-)

OTOH, it sounds like a fun idea to me.  Do the cryptosystem RFC's  
specify the default salt?

------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu





More information about the Kerberos mailing list