kadm5_rename_principal salt question
Ken Raeburn
raeburn at MIT.EDU
Mon Sep 24 15:30:20 EDT 2007
On Sep 24, 2007, at 15:00, John Hascall wrote:
> I was under the impression that some of the new encryption types
> (like AES) you had to specify the salt -- I'm trying to understand
> why you would be keeping an explicit salt in the DB otherwise -- so
> I was assuming the salt came back with the ticket.
The string-to-key method in general is specified to take the password
and salt as inputs, though RC4 doesn't use the salt if I recall
correctly. The salt can be specified by the KDC, but there's a
default method for generating the salt from the principal name and
realm if the KDC doesn't supply it. In the MIT database, "normal"
salt type means to use this default, and "special" means some random
string stuffed in the database.
For principal renaming, if the database entry originally used
"normal" salt type (and has anything other than an RC4 key), the
default salt string needs to be generated (using the old principal
name) and stored in the new entry as type "special". If the entry
originally used "special", it stays unchanged. There are some other
types which should also be examined to see if they need converting.
Ken
More information about the krbdev
mailing list