kadm5_rename_principal salt question

John Hascall john at iastate.edu
Mon Sep 24 11:30:18 EDT 2007

In the function kadm5_rename_principal
in the file lib/kadm5/srv/svr_principal.c
starting at line 678 (krb5-1.6.3-beta1)
we have:

    /* this is kinda gross, but unavoidable */

    for (i=0; i<kdb.n_key_data; i++) {
        if ((kdb.key_data[i].key_data_ver == 1) ||
            (kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {
            ret = KADM5_NO_RENAME_SALT;
            goto done;

which I am trying to understand.
In include/kdb.h we find:

 * If this ever changes up the version number and make the arrays be as
 * big as necessary.
 * Currently the first type is the enctype and the second is the salt type.
typedef struct _krb5_key_data {
    krb5_int16            key_data_ver;         /* Version */
    krb5_int16            key_data_kvno;        /* Key Version */
    krb5_int16            key_data_type[2];     /* Array of types */
    krb5_ui_2             key_data_length[2];   /* Array of lengths */
    krb5_octet          * key_data_contents[2]; /* Array of pointers */
} krb5_key_data;

Thus, it seems to me that key_data_ver tells us whether 1 or 2 elements
of the key_data_type/length/contents arrays are used (where
the [0]th element is the enctype and the [1]st element is the salt).

So, back to the original code above:

        if ((kdb.key_data[i].key_data_ver == 1) ||
            (kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {

So this seems to be saying if there is no explicit salt info,
or if there is but it is a 'normal salt' (i.e., REALMprinc)
then a principal rename can not be done.

I'm wondering why this is?
And why would it not be possible to do something like the following?

    if ((kdb.key_data[i].key_data_ver == 1) ||
        ((kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL) &&
         (kdb.key_data[i].key_data_length[1] == 0))) {
        krb5_principal2(handle->context, entry->principal, &salt_data);
        kdb.key_data[i].key_data_ver = 2;
        kdb.key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_NORMAL;
        kdb.key_data[i].key_data_length[1] = salt_data.length;
        kdb.key_data[i].key_data_contents[1] = (krb5_octet *)salt_data.data;

thus putting in an explicit salt of the soon-to-be-old-name of the
principal.  This could then be updated (or removed) at the principal's
next password change.


More information about the krbdev mailing list