TGT from keytab w/ preauth required?
huaraz at moeller.plus.com
Sun May 28 08:51:54 EDT 2006
We use a Windows kdc and a tool like Dan Perrys msktutil to create keytabs
with service principals like ftpbatch/client1.
We then do something like
kinit -c ./cache.$$ -l 2m -kt keytab ftpbatch/client1; set
KRB5CCNME=./cache.$$, ftp -x <cmdinput ; kdestroy
for a batch ftp process. msktutil has also an option to re-extract the
service principal with a new random password which you could use from a
cronjob to change the keytab once a month to avoid misuse of old backups.
Is it that you try to achieve only in a program ?
"Shawn M Emery" <Shawn.Emery at Sun.COM> wrote in message
news:447953E3.8060809 at sun.com...
> Michael B Allen wrote:
>> Meaning there's a particular salt that's fixed for a given principal in
>> which case you *can* use a keytab to get a TGT?
> The salt is derived from the principal name and realm by default.
>> Then why doesn't the krb5_get_init_creds_keytab function try to perform
>> preauth? At least MIT and Heimdal don't. So if I just skip the string
> It does perform preauth if the REQUIRES_PRE_AUTH attribute has been set
> for the principal.
>> to key w/ salt business and use the key from the keytab directly that
>> will be suitable for computing the padata?
>> On Sun, 28 May 2006 00:11:09 -0400
>> Jeffrey Altman <jaltman at mit.edu> wrote:
>>> When using passwords a salt is applied as part of the process of
>>> deriving the key. When using a key tab, the key has already been
>>> derived using the correct salt.
>>> Jeffrey Altman
>>> Michael B Allen wrote:
>>>> Is there any way to get a TGT from a keytab if preauthentication is
>>>> I was looking at krb5_get_init_creds_keytab but that function looks
>>>> somewhat useless if preauthentication is required as it appears the
>>>> is applied to the plaintext password.
>>>> Ultimately I want to obtain credentials for a service that runs
>>>> indefinitely. I thought it would be easier and more secure to have the
>>>> administrator export a keytab with the service principal key and then
>>>> copy that to a priviledged location on the service host. The
>>>> of using a password requires that the administrator make up and type in
>>>> a possibly weak password and then type it in again on the service host.
>>>> What's the correct way to do this?
>>>> krbdev mailing list krbdev at mit.edu
>> krbdev mailing list krbdev at mit.edu
> krbdev mailing list krbdev at mit.edu
More information about the krbdev