ktutil - problems generating AES keys (salt?)

Greg Hudson ghudson at MIT.EDU
Sat Aug 2 11:03:35 EDT 2014


On 08/02/2014 02:19 AM, Ben H wrote:
> The document is worded poorly as it can be interpreted that this salt is
> used for all enctypes, but I believe that only AES is salted in this way
> and based on my testing RC4 doesn't get salted.

The RC4 enctype completely ignores the salt, so it doesn't matter if
ktutil picks the wrong one.

> I see no way to feed ktutil a salt when generating the key.

I think that's correct.  We would like ktutil (or perhaps a successor
program) to be able to make an AS request to get the actual salt from
the KDC, but this hasn't been implemented.  Being able to manually
specify a salt could also be useful in some cases.

> I have found a tool called msktutil which I have built and it generates
> keytabs properly, I would prefer a method I know will exist with every krb5
> distribution.

I don't have personal experience generating keytabs for an AD domain.  I
think msktutil may be the most common way of doing it, but I'm not certain.

The salt you described from the Microsoft documentation matches the
default RFC 4120 salt for a host/fqdn at REALM principal, so if you specify
the principal in exactly the right form (with the correct case), I would
expect ktutil to use the correct salt.  So I'm not sure why it isn't
working for you.


More information about the Kerberos mailing list