MIT krb5-1.6.3: getprinc shows 'no salt' on all keys

Mike Friedman mikef at berkeley.edu
Fri Apr 25 19:30:10 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I notice that on 1.6.3, getprinc shows 'no salt' for all keys, even though 
the enctypes in kdc.conf's supported-enctypes all show a salt type of 
':normal'.  I thought ':normal' meant salt with principal and realm, in 
any case not 'no salt'.

Here's what kdc.conf has:

   supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal

And here's an extract of a principal's entry as shown by getprinc:

    Number of keys: 2
    Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
    Key: vno 3, DES cbc mode with CRC-32, no salt

I've seen this on two different 1.6.3 servers, with different sets
of supported-enctypes (all with ':normal' as the salt type).

On my 1.4.2 system, where kdc.conf looks like this:

  supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 des-cbc-crc:v4

I get this principal key information:

    Number of keys: 5
    Key: vno 1, DES cbc mode with CRC-32, no salt
    Key: vno 1, DES cbc mode with RSA-MD5, Version 4
    Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
    Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
    Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3

So, why the 'no salt' in all the key descriptions for 1.6.3?

Thanks.

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)

iEYEARECAAYFAkgSaYMACgkQFgKSfLOvZ1R+nACggh0hL1WQJR7je79c3xralo/g
owQAoIYGSHlgwPFExcLwPdAI9EPMCP6V
=2RID
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list