TGT from keytab w/ preauth required?

Shawn M Emery Shawn.Emery at Sun.COM
Sun May 28 03:40:19 EDT 2006

Michael B Allen wrote:
> Meaning there's a particular salt that's fixed for a given principal in
> which case you *can* use a keytab to get a TGT?
The salt is derived from the principal name and realm by default.
> Then why doesn't the krb5_get_init_creds_keytab function try to perform
> preauth? At least MIT and Heimdal don't. So if I just skip the string
It does perform preauth if the REQUIRES_PRE_AUTH attribute has been set 
for the principal.
> to key w/ salt business and use the key from the keytab directly that
> will be suitable for computing the padata?

> On Sun, 28 May 2006 00:11:09 -0400
> Jeffrey Altman <jaltman at> wrote:
>> When using passwords a salt is applied as part of the process of
>> deriving the key.  When using a key tab, the key has already been
>> derived using the correct salt.
>> Jeffrey Altman
>> Michael B Allen wrote:
>>> Hey,
>>> Is there any way to get a TGT from a keytab if preauthentication is
>>> required?
>>> I was looking at krb5_get_init_creds_keytab but that function looks
>>> somewhat useless if preauthentication is required as it appears the salt
>>> is applied to the plaintext password.
>>> Ultimately I want to obtain credentials for a service that runs
>>> indefinitely. I thought it would be easier and more secure to have the
>>> administrator export a keytab with the service principal key and then
>>> copy that to a priviledged location on the service host. The alternative
>>> of using a password requires that the administrator make up and type in
>>> a possibly weak password and then type it in again on the service host.
>>> What's the correct way to do this?
>>> Thanks,
>>> Mike
>>> _______________________________________________
>>> krbdev mailing list             krbdev at
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list