TGT from keytab w/ preauth required?

Jeffrey Altman jaltman at MIT.EDU
Sun May 28 00:11:09 EDT 2006

When using passwords a salt is applied as part of the process of
deriving the key.  When using a key tab, the key has already been
derived using the correct salt.

Jeffrey Altman

Michael B Allen wrote:
> Hey,
> Is there any way to get a TGT from a keytab if preauthentication is
> required?
> I was looking at krb5_get_init_creds_keytab but that function looks
> somewhat useless if preauthentication is required as it appears the salt
> is applied to the plaintext password.
> Ultimately I want to obtain credentials for a service that runs
> indefinitely. I thought it would be easier and more secure to have the
> administrator export a keytab with the service principal key and then
> copy that to a priviledged location on the service host. The alternative
> of using a password requires that the administrator make up and type in
> a possibly weak password and then type it in again on the service host.
> What's the correct way to do this?
> Thanks,
> Mike
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list