enctype of TGS key
Frank Cusack
frank at linetwo.net
Wed Jan 4 18:17:42 EST 2012
How can I learn the enctype of the TGS key? That is, the long lived krbtgt
key. Without having kadmin privileges.
'klist -e' reports "Etype (skey, tkt)", where I take it that skey = the
enctype of the session key and tkt = the enctype of the ??? opaque ticket I
guess?
I question if this is the enctype of the TGS key because RFC 4120 5.4.2
says that an AS-REP is:
...
ticket
enc-part
...
The enc-part, AIUI, is the session key data, encrypted with the user's long
term key.
The ticket is the RFC 4120 5.3 ticket:
tkt-vno
realm
sname
enc-part
The enc-part here is encrypted with the TGS key.
If the "tkt" part of 'klist -e' output is the enctype of the TGS key, from
what field did it learn it? If it's something else, what is it? klist.c
says that the tkt value is tkt->enc_part.enctype, which does make me think
it's the enctype of the TGS key (the enctype used to encrypt the enc-part),
but how/where was this sent to the client?
Thanks.
More information about the Kerberos
mailing list