enctype of TGS key

Frank Cusack frank at linetwo.net
Wed Jan 4 18:17:42 EST 2012


How can I learn the enctype of the TGS key?  That is, the long lived krbtgt
key.  Without having kadmin privileges.

'klist -e' reports "Etype (skey, tkt)", where I take it that skey = the
enctype of the session key and tkt = the enctype of the ??? opaque ticket I
guess?

I question if this is the enctype of the TGS key because RFC 4120 5.4.2
says that an AS-REP is:

  ...
  ticket
  enc-part
  ...

The enc-part, AIUI, is the session key data, encrypted with the user's long
term key.

The ticket is the RFC 4120 5.3 ticket:

  tkt-vno
  realm
  sname
  enc-part

The enc-part here is encrypted with the TGS key.

If the "tkt" part of 'klist -e' output is the enctype of the TGS key, from
what field did it learn it?  If it's something else, what is it?  klist.c
says that the tkt value is tkt->enc_part.enctype, which does make me think
it's the enctype of the TGS key (the enctype used to encrypt the enc-part),
but how/where was this sent to the client?

Thanks.


More information about the Kerberos mailing list