Proposal: Support for 32 bit version numbers in keytabs
Nicolas.Williams at sun.com
Thu Dec 2 14:06:36 EST 2004
On Thu, Dec 02, 2004 at 01:15:44PM -0500, Ezra Peisach wrote:
> >How does this work with SEAM on Solaris or HP's Kerberos or any other
> The short answer is - I do not know.
> If HP's kerberos is really based on MIT 1.2.2 release (according to one
> web site) - then they do not have the vno > 240 hacks - but the file
> reading code should be the same.
> SEAM: Nico can speak better to this...
Although we don't treat the keytab file format as a public interface we
try not to break compat with MIT; fortunately here it looks like for the
three Solaris releases (8, 9 and 10) I've cursorily checked at there
would be no problems -- but, to be sure, we haven't done a sufficient
search, so wait a bit.
Even if there were problems, one approach, which Ezra mentioned in the
proposal, would be to include the 32-bit kvno only when it is larger
than 2^256, which would avoid any potential problems for many. If
there's any doubt about any compatibility with any implementations that
have heretofore had a keytab format that is compatible with MIT krb5's,
then that approach is worth following.
> Other vendors - I do not know... Regretfully, as far as I know - there is
> no published standard for the keytab file. Please correct me if I am
> Does anyone know of the interoperability of keytabs? Remember - we will
> still be able to read - or import the older format (say from Windows)...
> I suppose we can setup a flag in krb5.conf to not produce this
> extended keytab file for those that need it...
That is another possibility. Or, perhaps better, a kadmin ktadd /
ktutil addent option.
More information about the krbdev