TGT from keytab w/ preauth required?

Shawn M Emery Shawn.Emery at Sun.COM
Sun May 28 03:40:19 EDT 2006 

Michael B Allen wrote:
> Meaning there's a particular salt that's fixed for a given principal in
> which case you *can* use a keytab to get a TGT?
>   
The salt is derived from the principal name and realm by default.
> Then why doesn't the krb5_get_init_creds_keytab function try to perform
> preauth? At least MIT and Heimdal don't. So if I just skip the string
>   
It does perform preauth if the REQUIRES_PRE_AUTH attribute has been set 
for the principal.
> to key w/ salt business and use the key from the keytab directly that
> will be suitable for computing the padata?
>   
Yes.

Shawn.
--
> On Sun, 28 May 2006 00:11:09 -0400
> Jeffrey Altman <jaltman at mit.edu> wrote:
>
>   
>> When using passwords a salt is applied as part of the process of
>> deriving the key.  When using a key tab, the key has already been
>> derived using the correct salt.
>>
>> Jeffrey Altman
>>
>> Michael B Allen wrote:
>>     
>>> Hey,
>>>
>>> Is there any way to get a TGT from a keytab if preauthentication is
>>> required?
>>>
>>> I was looking at krb5_get_init_creds_keytab but that function looks
>>> somewhat useless if preauthentication is required as it appears the salt
>>> is applied to the plaintext password.
>>>
>>> Ultimately I want to obtain credentials for a service that runs
>>> indefinitely. I thought it would be easier and more secure to have the
>>> administrator export a keytab with the service principal key and then
>>> copy that to a priviledged location on the service host. The alternative
>>> of using a password requires that the administrator make up and type in
>>> a possibly weak password and then type it in again on the service host.
>>>
>>> What's the correct way to do this?
>>>
>>> Thanks,
>>> Mike
>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>       
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

More information about the krbdev mailing list