supported/used salt types
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Jun 25 12:26:32 EDT 2008
--On Wednesday, June 25, 2008 12:30:04 PM +0200 Mark Phalan
<Mark.Phalan at Sun.COM> wrote:
>
> src/lib/krb5/krb/str_conv.c implies the following salt-types are
> supported:
>
> "normal"
> "v4"
> "norealm"
> "onlyrealm"
> "special"
> "afs3"
>
>
> Which of these is actually used/useful? Would it be fair to say that
> "normal" and "afs3" are the only ones that are in regular use?
I think it's fair to say that "norealm" and "onlyrealm" are more or less
never used. The others are all used...
- "normal" is the default salt string based on principal name and realm,
and is or should be the most widely used case
- "v4" is an empty salt string. This is used to produce keys which are
used to answer requests from Kerberos 4 clients, and also on keys
imported during a conversion from a Kerberos 4 database.
- "special", IIRC, is the salt type used when the actual salt string is
explicitly contained in the KDB. This is used when a principal is
renamed, such that the actual salt string used to generate its key
is no longer as that generated by the "normal" method.
- "afs3" is the salt string used by the AFS kaserver and its clients.
It consists of the realm name forced to lower case, but also indicates
use of an alternate string-to-key algorithm for DES keys (and should
be invalid on any other enctypes).
-- Jeff
More information about the krbdev
mailing list