Enctype configuration

Henry B. Hotz hotz at jpl.nasa.gov
Mon Jul 27 17:00:38 EDT 2009

On Jul 25, 2009, at 7:29 AM, krbdev-request at mit.edu wrote:

> Date: Sat, 25 Jul 2009 06:59:44 -0400
> From: Sam Hartman <hartmans at MIT.EDU>
> Subject: Re: Enctype configuration
> To: Greg Hudson <ghudson at MIT.EDU>
> Cc: krbdev at mit.edu
> Message-ID: <tslk51xkoyn.fsf at mit.edu>
> Content-Type: text/plain; charset=us-ascii
>>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:
>    Greg> 2. As noted in RFC 4120, "it is not possible to generate a
>    Greg> user's key reliably given a pass phrase without contacting
>    Greg> the KDC, since it will not be known whether alternate salt
>    Greg> or parameter values are required."  However, you can guess
>    Greg> that the salt is the mangled principal, and our ktutil
>    Greg> addent -password command does exactly that.  That guess is
>    Greg> wrong if the admin used any non-NORMAL salt type when
>    Greg> creating the principal, or the principal has been renamed
>    Greg> (you can't rename a NORMAL-salted principal right now, but
>    Greg> you could if we processed the patch in RT #6323)... but in
>    Greg> the usual case, the guess is right.  That would cease to be
>    Greg> true if we switched to explicit random salts.
>    Greg> It should be possible to modify ktutil to contact the KDC,
>    Greg> assuming that salt information is present in
>    Greg> PREAUTH_REQUIRED errors, which seems to be true according to
>    Greg> a scan of the RFC.
> Thanks for bringing this up.  Unfortunately there are some interop
> cases where random salt will be a problem.  One is creating
> cross-realm passwords.  Another is creating machine and service
> accounts for Windows.  For this reason, I think it is important to
> retain the ability to support normal salt for a principal.
> I don't think that needs to be coupled to supported_enctypes in the
> config file.
> One possibility is to only support it with the -e option of cpw in
> kadmin.  Another is to have a principal flag.

I have occasionally recommended implementing a keytab import  
capability for this purpose.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list