Enctype configuration

Sam Hartman hartmans at MIT.EDU
Sat Jul 25 06:59:44 EDT 2009

>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:
    Greg> 2. As noted in RFC 4120, "it is not possible to generate a
    Greg> user's key reliably given a pass phrase without contacting
    Greg> the KDC, since it will not be known whether alternate salt
    Greg> or parameter values are required."  However, you can guess
    Greg> that the salt is the mangled principal, and our ktutil
    Greg> addent -password command does exactly that.  That guess is
    Greg> wrong if the admin used any non-NORMAL salt type when
    Greg> creating the principal, or the principal has been renamed
    Greg> (you can't rename a NORMAL-salted principal right now, but
    Greg> you could if we processed the patch in RT #6323)... but in
    Greg> the usual case, the guess is right.  That would cease to be
    Greg> true if we switched to explicit random salts.

    Greg> It should be possible to modify ktutil to contact the KDC,
    Greg> assuming that salt information is present in
    Greg> PREAUTH_REQUIRED errors, which seems to be true according to
    Greg> a scan of the RFC.

Thanks for bringing this up.  Unfortunately there are some interop
cases where random salt will be a problem.  One is creating
cross-realm passwords.  Another is creating machine and service
accounts for Windows.  For this reason, I think it is important to
retain the ability to support normal salt for a principal.

I don't think that needs to be coupled to supported_enctypes in the
config file.

One possibility is to only support it with the -e option of cpw in
kadmin.  Another is to have a principal flag.

More information about the krbdev mailing list