[krbdev.mit.edu #7532] still not ready for kvnos over 255
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sat Jan 5 02:21:42 EST 2013
My understanding is that the krb5 keytab format was based loosely on
Kerberos 4's srvtab format, and in an error of omission, the kvno field
was left at 8 bits.
We have several heuristics to work around this mistake.
krb5_ktfile_get_entry() tries to detect wraparound when looking up the
highest kvno in the keytab, for instance.
There is a path away from this mistake if we look at Heimdal and Shishi.
They both support a 32-bit kvno value located after the existing keytab
fields, overriding the 8-bit value. This is documented at:
http://www.gnu.org/software/shishi/manual/html_node/The-Keytab-Binary-
File-Format.html
More information about the krb5-bugs
mailing list