TGT from keytab w/ preauth required?

Michael B Allen mba2000 at
Sun May 28 02:47:20 EDT 2006

Meaning there's a particular salt that's fixed for a given principal in
which case you *can* use a keytab to get a TGT?

Then why doesn't the krb5_get_init_creds_keytab function try to perform
preauth? At least MIT and Heimdal don't. So if I just skip the string
to key w/ salt business and use the key from the keytab directly that
will be suitable for computing the padata?


On Sun, 28 May 2006 00:11:09 -0400
Jeffrey Altman <jaltman at> wrote:

> When using passwords a salt is applied as part of the process of
> deriving the key.  When using a key tab, the key has already been
> derived using the correct salt.
> Jeffrey Altman
> Michael B Allen wrote:
> > Hey,
> > 
> > Is there any way to get a TGT from a keytab if preauthentication is
> > required?
> > 
> > I was looking at krb5_get_init_creds_keytab but that function looks
> > somewhat useless if preauthentication is required as it appears the salt
> > is applied to the plaintext password.
> > 
> > Ultimately I want to obtain credentials for a service that runs
> > indefinitely. I thought it would be easier and more secure to have the
> > administrator export a keytab with the service principal key and then
> > copy that to a priviledged location on the service host. The alternative
> > of using a password requires that the administrator make up and type in
> > a possibly weak password and then type it in again on the service host.
> > 
> > What's the correct way to do this?
> > 
> > Thanks,
> > Mike
> > _______________________________________________
> > krbdev mailing list             krbdev at
> >

More information about the krbdev mailing list