client side password store best practices?
Chris Hecker
checker at d6.com
Tue Aug 9 19:34:49 EDT 2011
Ah, awesome, thanks!
I was deep in the KDC looking to see if it returned the client kvno
anywhere, and found this in do_as_req:
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP,
&reply_encpart,
0, as_encrypting_key, &reply,
response);
reply.enc_part.kvno = client_key->key_data_kvno;
which--obviously just to mock me--puts the client's kvno into the reply
_after_ it's been encoded into the response. :)
> keytab entry with the most recent kvno, since the KDC doesn't
> mention the kvno during an AS exchange.
I think I'm confused about the kvno, then. Is that because the KDC will
always use the latest kvno, so the code just sends the latest it's got
and hopes it works (and if not, it means the keytab needs updating)?
But, for other kinds of stuff, like decoding tickets from clients, the
server checks the kvno since that's what allows tickets older than a
recently changed key to still work?
Thanks,
Chris
On 2011/08/09 16:20, Greg Hudson wrote:
> On Tue, 2011-08-09 at 19:05 -0400, Chris Hecker wrote:
>> However, I've hit a snag: when creating a keytab on the client using
>> the code from ktutil as a reference, how do I know what kvno to use?
>
> If you're only using the keytab with krb5_get_init_creds_keytab, then it
> doesn't matter if you get the kvno right. The client code will use the
> keytab entry with the most recent kvno, since the KDC doesn't mention
> the kvno during an AS exchange.
>
>
>
More information about the Kerberos
mailing list