Proposal: Support for 32 bit version numbers in keytabs

Nicolas Williams Nicolas.Williams at
Thu Dec 2 14:06:36 EST 2004

On Thu, Dec 02, 2004 at 01:15:44PM -0500, Ezra Peisach wrote:
> >How does this work with SEAM on Solaris or HP's Kerberos or any other
> >vendor?
> The short answer is - I do not know.
> If HP's kerberos is really based on MIT 1.2.2 release (according to one
> web site) - then they do not have the vno > 240 hacks - but the file
> reading code should be the same.
> SEAM: Nico can speak better to this...

Although we don't treat the keytab file format as a public interface we
try not to break compat with MIT; fortunately here it looks like for the
three Solaris releases (8, 9 and 10) I've cursorily checked at there
would be no problems -- but, to be sure, we haven't done a sufficient
search, so wait a bit.

Even if there were problems, one approach, which Ezra mentioned in the
proposal, would be to include the 32-bit kvno only when it is larger
than 2^256, which would avoid any potential problems for many.  If
there's any doubt about any compatibility with any implementations that
have heretofore had a keytab format that is compatible with MIT krb5's,
then that approach is worth following.

> Other vendors - I do not know...  Regretfully, as far as I know - there is
> no published standard for the keytab file. Please correct me if I am
> wrong.
> Does anyone know of the interoperability of keytabs? Remember - we will
> still be able to read - or import the older format (say from Windows)...
> I suppose we can setup a flag in krb5.conf to not produce this
> extended keytab file for those that need it...

That is another possibility.  Or, perhaps better, a kadmin ktadd /
ktutil addent option.



More information about the krbdev mailing list