question about kdb5_util dump format
Jerry Shipman
jes59 at cornell.edu
Thu Oct 26 10:57:51 EDT 2017
Hello,
I am trying to investigate a report from a user that he could change his password to the same value, despite password history being enabled.
I can an old copy of the users' principal (before he changed his password) from a backup.
I can dump both the old and new principals using kdb5_util.
The ciphers are the same. The kvno is incremented by one on the new principal. Realm is the same, master key version is the same, etc.
But the file sizes are different, and the encrypted key blob field is different and a different length.
If the key blob is different (for the same ciphers), does it for sure mean that the passwords are different? Or is it maybe salted with the kvno or something? (I thought the salt was predictable -- realm, or principal name, or nothing -- which would be the same for the different keys. And it would almost have to be the same, in order for the history to work?)
I don't understand this at all, but I sort of naively expected that all keys of a certain cipher type would be the same size. Why is the one larger? Maybe does it contain the old key history in there? or something else? (I know the key history is stored somewhere...)
Is there something reasonable I can do to definitively find out whether the user's old and new passwords are the same?
Thank you for the help,
Jerry
More information about the Kerberos
mailing list