Retrieving Kerberos password hash

kannan rbk kannanrbk.r at gmail.com
Tue Oct 7 11:07:12 EDT 2014


Thank you for your valuable time :)

On Tue, Oct 7, 2014 at 8:32 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 10/07/2014 08:43 AM, kannan rbk wrote:
>> Is there any way to get the password hash & salt from the kerberos server?
>
> The Kerberos protocol uses a very specific kind of "password hash" (the
> RFC 3961 string-to-key operation), which may not be importable into
> other applications.  It might be importable into Active Directory since
> AD is itself a Kerberos implementation; I'm not certain.
>
> The MIT krb5 admin protocol doesn't allow long-term keys to be retrieved
> from the DB without changing them.  But you can retrieve long-term keys
> using kadmin.local (using the "ktadd -norandkey" operation) or from a
> database dump.
>
> The salt can be retrieved in a variety of ways: from the etype-info2
> field of an AS reply, from a database dump, or in most cases just by
> computing the default salt from the principal name.  The default salt
> for a principal name is the realm name followed by the principal
> components in order, e.g. "ATHENA.MIT.EDUghudson" for
> ghudson at ATHENA.MIT.EDU.



-- 
Regards,

Bharathikannan R


More information about the Kerberos mailing list