Problem writing keyblock to krb5.keytab w/keytab binary format. kerberos at
Wed Jul 15 12:36:01 EDT 2009


I've reviewed the following document about the binary format used in
Kerberos keytab:

In my Java code I am able to read a file stream (e.g. for
/etc/krb5.keytab) and starting with the 16-bit header (0x502) I am
able to view the entries in my keytab -- including the keyblock (I
format it as a hex string) one by one.

I'm having problems understanding how to generate a keyblock and write
it to a keytab.  Basically, I'm able to write everything correctly to
new.keytab *except for the keyblock*.  That is to say: klist displays
everything correctly (well, except for the keyblock) for new.keytab
but kinit gives key mismatch errors.  When I analyze new.keytab versus
/etc/krb5.keytab with a binary editor, I've confirmed that everything
matches up in new.keytab except for the keyblock.  :-(

I am able to create keytabs under Windows w/ktpass but my preference
is to generate a keytab on the client, for a variety of reasons.  I
know the salt, the passphrase, and the kvno that were used w/ktpass
and from there I'd assume that I could generate a key w/my application
on the client.  I created the keytab w/ktpass using type DES-CBC-MD5
and I'm using the Java DES functionality to create the key and write
it to new.keytab.  Still, the keyblock is not matching up.  I checked
my endianness on the client and that was not the issue.  Without
spamming everybody here with Java code, here's what I'm attempting to
do to write the keyblock:

  - princ name: princ/myhost.fqdn at REALM
  - salt (same as what's used by ktpass): REALMhostmyhost.realm
  - password: test1234
  - kvno: 19

In my DES calls I:
  - pad and convert the salt from string to unsigned long to byte[8].
  - use the converted salt as the key and initialization vector.
  - use a cipher mode of CBC.
  - write password to crypto stream.
  - return array of bytes that reflect my encrypted key.
  - binary write keyblock to new.keytab.

Since my keyblock doesn't match what's in /etc/krb5.keytab, I can only
assume that either something is wrong with how I'm encrypting the key
or how I'm writing new.keytab.  I'm leaning towards the former.

Does anyone have any suggestions as to how I might encrypt the
keyblock w/DES or as to what I might be doing wrong?


More information about the Kerberos mailing list