TGT from keytab w/ preauth required?

Markus Moeller huaraz at
Sun May 28 08:51:54 EDT 2006

We use a Windows kdc and a tool like Dan Perrys msktutil to create keytabs 
with service principals like ftpbatch/client1.
We then do something like
kinit -c ./cache.$$ -l 2m -kt keytab ftpbatch/client1; set 
KRB5CCNME=./cache.$$, ftp -x <cmdinput ; kdestroy
for a batch ftp process. msktutil has also an option to re-extract the 
service principal with a new random password which you could use from a 
cronjob to change the keytab once a month to avoid misuse of old backups.

Is it that you try to achieve only in a program ?


"Shawn M Emery" <Shawn.Emery at Sun.COM> wrote in message 
news:447953E3.8060809 at
> Michael B Allen wrote:
>> Meaning there's a particular salt that's fixed for a given principal in
>> which case you *can* use a keytab to get a TGT?
> The salt is derived from the principal name and realm by default.
>> Then why doesn't the krb5_get_init_creds_keytab function try to perform
>> preauth? At least MIT and Heimdal don't. So if I just skip the string
> It does perform preauth if the REQUIRES_PRE_AUTH attribute has been set
> for the principal.
>> to key w/ salt business and use the key from the keytab directly that
>> will be suitable for computing the padata?
> Yes.
> Shawn.
> --
>> On Sun, 28 May 2006 00:11:09 -0400
>> Jeffrey Altman <jaltman at> wrote:
>>> When using passwords a salt is applied as part of the process of
>>> deriving the key.  When using a key tab, the key has already been
>>> derived using the correct salt.
>>> Jeffrey Altman
>>> Michael B Allen wrote:
>>>> Hey,
>>>> Is there any way to get a TGT from a keytab if preauthentication is
>>>> required?
>>>> I was looking at krb5_get_init_creds_keytab but that function looks
>>>> somewhat useless if preauthentication is required as it appears the 
>>>> salt
>>>> is applied to the plaintext password.
>>>> Ultimately I want to obtain credentials for a service that runs
>>>> indefinitely. I thought it would be easier and more secure to have the
>>>> administrator export a keytab with the service principal key and then
>>>> copy that to a priviledged location on the service host. The 
>>>> alternative
>>>> of using a password requires that the administrator make up and type in
>>>> a possibly weak password and then type it in again on the service host.
>>>> What's the correct way to do this?
>>>> Thanks,
>>>> Mike
>>>> _______________________________________________
>>>> krbdev mailing list             krbdev at
>> _______________________________________________
>> krbdev mailing list             krbdev at
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list