problem with master_key_type = des3-cbc-sha1?

Will Fiveash william.fiveash at
Thu May 16 12:25:00 EDT 2002

On Thu, May 16, 2002 at 09:32:29AM -0400, Sam Hartman wrote:
> I think you wanted des3-hmac-sha1 not des3-cbc-sha1.

This didn't help.  If I set master_key_type = des3-hmac-sha1 and use:

   /usr/local/sbin/kdb5_util create -r MIT122.ENG.SUN.COM -s

the enctype associated with K/M at MIT122.ENG.SUN.COM is

   /usr/local/sbin/kdb5_util create -r MIT122.ENG.SUN.COM -s -k des3-hmac-sha1

then kadmin.local returns this error message:

Authenticating as principal hooshang/admin at MIT122.ENG.SUN.COM with
kadmin.local: Stored master key is corrupted while initializing
kadmin.local interface

BTW, why shouldn't I be able to use des3-cbc-sha1.  It's a valid
enctype that maps to ENCTYPE_DES3_CBC_SHA1.  In fact now that I'm
looking at src/lib/crypto/etypes.c, I see that both des3-cbc-sha1 and
des3-hmac-sha1 map to ENCTYPE_DES3_CBC_SHA1.

Can you get the enctype for K/M at REALM to be des3-hmac-sha1?  Does
kadmin.local, kadmin and kdc work?  I'm also wondering what the
default enctype for the master key should be.  It seems to me it
should be ENCTYPE_DES3_CBC_SHA1 but that's not what I'm seeing.  The
default master key enctype seems to be ENCTYPE_DES_CBC_CRC.

One last thing, I noticed some code in src/kdc/main.c that seems like
it could be a problem for the kdc to work properly if the master key
is ENCTYPE_DES3_CBC_SHA1.  At line 246 there's this:

    /* Handle key/salt list */
    if (rparams && rparams->realm_num_keysalts) {
    rdp->realm_kstypes = rparams->realm_keysalts;
    rdp->realm_nkstypes = rparams->realm_num_keysalts;
    rparams->realm_keysalts = NULL;
    rparams->realm_num_keysalts = 0;
    kslist = (krb5_key_salt_tuple *) rdp->realm_kstypes;
    nkslist = rdp->realm_nkstypes;
    } else {
     * XXX  Initialize default key/salt list.
    if ((kslist = (krb5_key_salt_tuple *)
         malloc(sizeof(krb5_key_salt_tuple)))) {
        kslist->ks_enctype = ENCTYPE_DES_CBC_CRC;
        kslist->ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
        rdp->realm_kstypes = kslist;
        rdp->realm_nkstypes = 1;
        nkslist = 1;

If I don't explicitly set either kdc_supported_enctypes or
supported_enctypes then rparams->realm_num_keysalts == 0.  This means
that the else side of the block will be executed.  Later in the code
(line 361) I see:

    for (i=0; i<nkslist; i++) {
    if (!(kret = krb5_dbe_find_enctype(rdp->realm_context,

What I saw was that db_entry->key_data[0].key_data_type[0] ==
ENCTYPE_DES3_CBC_SHA1 and kslist[0].ks_enctype = ENCTYPE_DES_CBC_CRC
from the earlier assignment.  This means that krb5_dbe_find_enctype()

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list