querying salt and kvno via KDC-REQ

Benjamin Kaduk kaduk at MIT.EDU
Fri Aug 15 15:34:32 EDT 2014


On Sun, 3 Aug 2014, Mark Pröhl wrote:

> I would like to improve some parts of msktutil
> (https://code.google.com/p/msktutil/) and need a way to get information
> about salt and  principal's kvno via KDC requests. Do the MIT krb5
> libraries provide functions for this?
>
> Some background information:
>
> The problem with the salt is currently being discussed on this list
> ("ktutil - problems generating AES keys (salt?)).
>
> In the current version msktutil is getting the kvno via LDAP search
> (attribute msds-keyversionnumber). This leads to problems when AD
> replication is slow. Network sniffs performed after password changes
> show that AS-REP messages already contain the principal's new kvno (in
> the client part) while its LDAP attribute msds-keyversionnumber has
> still the old value.

I only took a quick look ("quick", coming two weeks late; sorry), but it
looks like a combination of krb5_get_init_creds_step and krb5_sendto_kdc
should let one programmatically retrieve an AS-REP including the salt and
kvno for the desired principal, which could then be parsed with
decode_krb5_as_rep().

-Ben


More information about the Kerberos mailing list