Retrieving Kerberos password hash
Greg Hudson
ghudson at mit.edu
Tue Oct 7 11:02:52 EDT 2014
On 10/07/2014 08:43 AM, kannan rbk wrote:
> Is there any way to get the password hash & salt from the kerberos server?
The Kerberos protocol uses a very specific kind of "password hash" (the
RFC 3961 string-to-key operation), which may not be importable into
other applications. It might be importable into Active Directory since
AD is itself a Kerberos implementation; I'm not certain.
The MIT krb5 admin protocol doesn't allow long-term keys to be retrieved
from the DB without changing them. But you can retrieve long-term keys
using kadmin.local (using the "ktadd -norandkey" operation) or from a
database dump.
The salt can be retrieved in a variety of ways: from the etype-info2
field of an AS reply, from a database dump, or in most cases just by
computing the default salt from the principal name. The default salt
for a principal name is the realm name followed by the principal
components in order, e.g. "ATHENA.MIT.EDUghudson" for
ghudson at ATHENA.MIT.EDU.
More information about the Kerberos
mailing list