ktadd then principal's password no longer works?

Shumon Huque shuque at isc.upenn.edu
Fri Aug 14 11:12:07 EDT 2009


On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote:
> Again, I must really not understand something.  This
> principal's password is getting trashed after I use
> ktadd
> 
> % sudo kadmin -p admin/admin
> Authenticating as principal admin/admin with password.
> Password for admin/admin at FOO.COM:
> kadmin:  ktadd -k admin.kt admin/admin
> Entry for principal admin/admin with kvno 9, encryption type Triple DES 
> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt.
> Entry for principal admin/admin with kvno 9, encryption type DES cbc 
> mode with CRC-32 added to keytab WRFILE:admin.kt.
> kadmin:  quit
> 
> % sudo kadmin -p admin/admin
> Authenticating as principal admin/admin with password.
> Password for admin/admin at FOO.COM:
> kadmin: Incorrect password while initializing kadmin interface
> 
> ^^^ tried many times -- had to fix via kadmin.local

This won't work. ktadd creates a new random key everytime it
is invoked, thus destroying your earlier password derived
key. The manpage says:

     ktadd [-k keytab] [-q] [-e keysaltlist]
          [principal | -glob princ-exp] [...]

          Adds a principal or all principals  matching  princ-exp
          to  a  keytab,  randomizing each principal's key in the
          process. ...

I don't think the MIT distro has any tool to do what you want.
You'd probably need to write a program to extract the password
derived key directly from the KDB.

--Shumon.



More information about the Kerberos mailing list