supported/used salt types
Mark.Phalan at Sun.COM
Wed Jun 25 15:44:14 EDT 2008
On Wed, 2008-06-25 at 12:26 -0400, Jeffrey Hutzelman wrote:
> --On Wednesday, June 25, 2008 12:30:04 PM +0200 Mark Phalan
> <Mark.Phalan at Sun.COM> wrote:
> > src/lib/krb5/krb/str_conv.c implies the following salt-types are
> > supported:
> > "normal"
> > "v4"
> > "norealm"
> > "onlyrealm"
> > "special"
> > "afs3"
> > Which of these is actually used/useful? Would it be fair to say that
> > "normal" and "afs3" are the only ones that are in regular use?
> I think it's fair to say that "norealm" and "onlyrealm" are more or less
> never used. The others are all used...
> - "normal" is the default salt string based on principal name and realm,
> and is or should be the most widely used case
> - "v4" is an empty salt string. This is used to produce keys which are
> used to answer requests from Kerberos 4 clients, and also on keys
> imported during a conversion from a Kerberos 4 database.
> - "special", IIRC, is the salt type used when the actual salt string is
> explicitly contained in the KDB. This is used when a principal is
> renamed, such that the actual salt string used to generate its key
> is no longer as that generated by the "normal" method.
Is there a standard way to rename a principal? kadmin doesn't seem to
offer an option...
> - "afs3" is the salt string used by the AFS kaserver and its clients.
> It consists of the realm name forced to lower case, but also indicates
> use of an alternate string-to-key algorithm for DES keys (and should
> be invalid on any other enctypes).
Thanks for the useful info!
More information about the krbdev