supported/used salt types

Mark Phalan Mark.Phalan at Sun.COM
Wed Jun 25 15:44:14 EDT 2008

On Wed, 2008-06-25 at 12:26 -0400, Jeffrey Hutzelman wrote:
> --On Wednesday, June 25, 2008 12:30:04 PM +0200 Mark Phalan 
> <Mark.Phalan at Sun.COM> wrote:
> >
> > src/lib/krb5/krb/str_conv.c implies the following salt-types are
> > supported:
> >
> > "normal"
> > "v4"
> > "norealm"
> > "onlyrealm"
> > "special"
> > "afs3"
> >
> >
> > Which of these is actually used/useful? Would it be fair to say that
> > "normal" and "afs3" are the only ones that are in regular use?
> I think it's fair to say that "norealm" and "onlyrealm" are more or less 
> never used.  The others are all used...
> - "normal" is the default salt string based on principal name and realm,
>   and is or should be the most widely used case
> - "v4" is an empty salt string.  This is used to produce keys which are
>   used to answer requests from Kerberos 4 clients, and also on keys
>   imported during a conversion from a Kerberos 4 database.
> - "special", IIRC, is the salt type used when the actual salt string is
>   explicitly contained in the KDB.  This is used when a principal is
>   renamed, such that the actual salt string used to generate its key
>   is no longer as that generated by the "normal" method.

Is there a standard way to rename a principal? kadmin doesn't seem to
offer an option...

> - "afs3" is the salt string used by the AFS kaserver and its clients.
>   It consists of the realm name forced to lower case, but also indicates
>   use of an alternate string-to-key algorithm for DES keys (and should
>   be invalid on any other enctypes).

Thanks for the useful info!


More information about the krbdev mailing list