Generating krbPrincipalKey and krbPrincipalName out of known passwords
Greg Hudson
ghudson at MIT.EDU
Mon Jul 8 12:20:11 EDT 2013
On 07/08/2013 07:08 AM, Maike Lorenz wrote:
> Did someone know how i can transfer the userPasswords i allready have to
> the needed attributes for Kerberos (krbPrincipalKey, krbPrincipalName)?
> During the creation process i have the chance to get the plaintext value
> out of nspmDistributionPassword.
> It would be great if i could do this within the driver at the moment the
> user will be created.
> But i could use other methods as well.
I am not very familiar with eDirectory (only with the MIT krb5 LDAP back
end, which is based on eDirectory code and shares most of its schema),
so there might be a better way of doing what you want using eDirectory
tools if you contact Novell. If you must do it with your own code, here
are some pointers.
The krbPrincipalName is just the unparsed principal name. For
krbPrincipalKey, you will need the plaintext value to start with. There
are two steps, one of which can be accomplished with libkrb5 and the
other of which will require an ASN.1 encoder.
First, you have to convert the password into keys for one or more
enctypes using krb5_c_string_to_key(). You can use
krb5_principal2salt() to get the default salt for the principal name.
Second, you have to marshal the keys into an octet string using ASN.1.
Here are some comments from the schema file containing a partial ASN.1
module for the marshalling:
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno [0] UInt16,
##### attribute-minor-vno [1] UInt16,
##### kvno [2] UInt32,
##### mkvno [3] UInt32 OPTIONAL,
##### keys [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt [0] KrbSalt OPTIONAL,
##### key [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type [0] Int32,
##### salt [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
Use explicit tagging.
More information about the Kerberos
mailing list