supported/used salt types

Jeffrey Hutzelman jhutz at
Wed Jun 25 12:26:32 EDT 2008

--On Wednesday, June 25, 2008 12:30:04 PM +0200 Mark Phalan 
<Mark.Phalan at Sun.COM> wrote:

> src/lib/krb5/krb/str_conv.c implies the following salt-types are
> supported:
> "normal"
> "v4"
> "norealm"
> "onlyrealm"
> "special"
> "afs3"
> Which of these is actually used/useful? Would it be fair to say that
> "normal" and "afs3" are the only ones that are in regular use?

I think it's fair to say that "norealm" and "onlyrealm" are more or less 
never used.  The others are all used...

- "normal" is the default salt string based on principal name and realm,
  and is or should be the most widely used case
- "v4" is an empty salt string.  This is used to produce keys which are
  used to answer requests from Kerberos 4 clients, and also on keys
  imported during a conversion from a Kerberos 4 database.
- "special", IIRC, is the salt type used when the actual salt string is
  explicitly contained in the KDB.  This is used when a principal is
  renamed, such that the actual salt string used to generate its key
  is no longer as that generated by the "normal" method.
- "afs3" is the salt string used by the AFS kaserver and its clients.
  It consists of the realm name forced to lower case, but also indicates
  use of an alternate string-to-key algorithm for DES keys (and should
  be invalid on any other enctypes).

-- Jeff

More information about the krbdev mailing list