supported/used salt types

Ken Raeburn raeburn at MIT.EDU
Wed Jun 25 17:08:23 EDT 2008

On Jun 25, 2008, at 15:44, Mark Phalan wrote:
>> - "special", IIRC, is the salt type used when the actual salt  
>> string is
>>  explicitly contained in the KDB.  This is used when a principal is
>>  renamed, such that the actual salt string used to generate its key
>>  is no longer as that generated by the "normal" method.
> Is there a standard way to rename a principal? kadmin doesn't seem to
> offer an option...

The functionality exists in the library; I don't know how well tested  
it is.  But glancing at the server side code, it just errors out if  
the "normal" salt type is used, rather than fixing the salt.  I think  
there's a patch floating around to make it available via kadmin.  It  
would make sense to fix this up to DTRT in the normal salt case and  
(separately) make it accessible from kadmin in the release...

(And take as reiterated here my desire for a "random" salt type that  
generates a new, long, random string on each password change, to  
confound key dictionary generation attacks.)


More information about the krbdev mailing list