TGT from keytab w/ preauth required?
Michael B Allen
mba2000 at ioplex.com
Sun May 28 02:47:20 EDT 2006
Meaning there's a particular salt that's fixed for a given principal in
which case you *can* use a keytab to get a TGT?
Then why doesn't the krb5_get_init_creds_keytab function try to perform
preauth? At least MIT and Heimdal don't. So if I just skip the string
to key w/ salt business and use the key from the keytab directly that
will be suitable for computing the padata?
Mike
On Sun, 28 May 2006 00:11:09 -0400
Jeffrey Altman <jaltman at mit.edu> wrote:
> When using passwords a salt is applied as part of the process of
> deriving the key. When using a key tab, the key has already been
> derived using the correct salt.
>
> Jeffrey Altman
>
> Michael B Allen wrote:
> > Hey,
> >
> > Is there any way to get a TGT from a keytab if preauthentication is
> > required?
> >
> > I was looking at krb5_get_init_creds_keytab but that function looks
> > somewhat useless if preauthentication is required as it appears the salt
> > is applied to the plaintext password.
> >
> > Ultimately I want to obtain credentials for a service that runs
> > indefinitely. I thought it would be easier and more secure to have the
> > administrator export a keytab with the service principal key and then
> > copy that to a priviledged location on the service host. The alternative
> > of using a password requires that the administrator make up and type in
> > a possibly weak password and then type it in again on the service host.
> >
> > What's the correct way to do this?
> >
> > Thanks,
> > Mike
> > _______________________________________________
> > krbdev mailing list krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>
More information about the krbdev
mailing list