supported/used salt types
Ken Raeburn
raeburn at MIT.EDU
Wed Jun 25 17:08:23 EDT 2008
On Jun 25, 2008, at 15:44, Mark Phalan wrote:
>> - "special", IIRC, is the salt type used when the actual salt
>> string is
>> explicitly contained in the KDB. This is used when a principal is
>> renamed, such that the actual salt string used to generate its key
>> is no longer as that generated by the "normal" method.
>
> Is there a standard way to rename a principal? kadmin doesn't seem to
> offer an option...
The functionality exists in the library; I don't know how well tested
it is. But glancing at the server side code, it just errors out if
the "normal" salt type is used, rather than fixing the salt. I think
there's a patch floating around to make it available via kadmin. It
would make sense to fix this up to DTRT in the normal salt case and
(separately) make it accessible from kadmin in the release...
(And take as reiterated here my desire for a "random" salt type that
generates a new, long, random string on each password change, to
confound key dictionary generation attacks.)
Ken
More information about the krbdev
mailing list