ktutil - problems generating AES keys (salt?)
Greg Hudson
ghudson at MIT.EDU
Sat Aug 2 11:03:35 EDT 2014
On 08/02/2014 02:19 AM, Ben H wrote:
> The document is worded poorly as it can be interpreted that this salt is
> used for all enctypes, but I believe that only AES is salted in this way
> and based on my testing RC4 doesn't get salted.
The RC4 enctype completely ignores the salt, so it doesn't matter if
ktutil picks the wrong one.
> I see no way to feed ktutil a salt when generating the key.
I think that's correct. We would like ktutil (or perhaps a successor
program) to be able to make an AS request to get the actual salt from
the KDC, but this hasn't been implemented. Being able to manually
specify a salt could also be useful in some cases.
> I have found a tool called msktutil which I have built and it generates
> keytabs properly, I would prefer a method I know will exist with every krb5
> distribution.
I don't have personal experience generating keytabs for an AD domain. I
think msktutil may be the most common way of doing it, but I'm not certain.
The salt you described from the Microsoft documentation matches the
default RFC 4120 salt for a host/fqdn at REALM principal, so if you specify
the principal in exactly the right form (with the correct case), I would
expect ktutil to use the correct salt. So I'm not sure why it isn't
working for you.
More information about the Kerberos
mailing list