kadm5_rename_principal salt question
Russ Allbery
rra at stanford.edu
Mon Sep 24 13:43:57 EDT 2007
John Hascall <john at iastate.edu> writes:
> And why would it not be possible to do something like the following?
> if ((kdb.key_data[i].key_data_ver == 1) ||
> ((kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL) &&
> (kdb.key_data[i].key_data_length[1] == 0))) {
> krb5_principal2(handle->context, entry->principal, &salt_data);
> kdb.key_data[i].key_data_ver = 2;
> kdb.key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_NORMAL;
> kdb.key_data[i].key_data_length[1] = salt_data.length;
> kdb.key_data[i].key_data_contents[1] = (krb5_octet *)salt_data.data;
> }
> thus putting in an explicit salt of the soon-to-be-old-name of the
> principal. This could then be updated (or removed) at the principal's
> next password change.
How would a client know the salt in order to derive the same key to
decrypt a KDC reply?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list