Matching the iteration count for aes encryption when using a keytab

Roland Dowdeswell elric at
Tue Aug 19 20:38:02 EDT 2008

On 1219139182 seconds since the Beginning of the UNIX epoch
"josephharfouch at" wrote:

>I notice that the s2kaparams entry in the ETYPE_INFO2 as described in RFC4120 
>is a mechanism where the KDC can inform the client of a different iteration 
>count rather the default 4096 for AES encryption, so that the client can 
>match the generated key, similar to when a different salt is used.
>How would this work if the key is already precalculated and stored in a keytab
>, i.e if the kinit -k command used to obtain a ticket? I presume that a 

IIRC, the keytab stores the keys rather than passphrases used to
generate the keys.  The salt/iteration count is used to convert a
passphrase into a key.  So, neither should be necessary for regular
keytab files.

    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/

More information about the krbdev mailing list