addprinc -randkey broken in 1.7?

Russ Allbery rra at
Wed Sep 16 18:50:13 EDT 2009

Mike Friedman <mikef at> writes:

> I'm running 1.6.3 and don't have this problem.  In fact, looking at the
> code in src/kadmin/cli/kadmin.c, it appears that when '-randkey' is used
> for addprinc, the password is set initially to a 256 character string
> containing all possible character values from 1 thru 255 plus a
> terminating 0 (and then randomized in a separate step).  This, I would
> think, should satisfy any password policy.

Well, it's certainly rejected by our password policy.  :)  I don't know
how it interacts with the character class checking.  We have to always
clear policies on keys before using randkey.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list