kadm5_rename_principal salt question

Ken Raeburn raeburn at MIT.EDU
Mon Sep 24 15:30:20 EDT 2007

On Sep 24, 2007, at 15:00, John Hascall wrote:
> I was under the impression that some of the new encryption types
> (like AES) you had to specify the salt -- I'm trying to understand
> why you would be keeping an explicit salt in the DB otherwise -- so
> I was assuming the salt came back with the ticket.

The string-to-key method in general is specified to take the password  
and salt as inputs, though RC4 doesn't use the salt if I recall  
correctly.  The salt can be specified by the KDC, but there's a  
default method for generating the salt from the principal name and  
realm if the KDC doesn't supply it.  In the MIT database, "normal"  
salt type means to use this default, and "special" means some random  
string stuffed in the database.

For principal renaming, if the database entry originally used  
"normal" salt type (and has anything other than an RC4 key), the  
default salt string needs to be generated (using the old principal  
name) and stored in the new entry as type "special".  If the entry  
originally used "special", it stays unchanged.  There are some other  
types which should also be examined to see if they need converting.


More information about the krbdev mailing list